CodeQl scanning #6116

jenkinszolve · 2021-06-21T05:59:56Z

jenkinszolve
Jun 21, 2021

Hi,
We are having a Java project and in GHAS code scanning we can see that only a quarter of the lines only got scanned (3.54k / 8.62k.), attached screenshot.
We would like to know why it's not scanning the full lines.
Would like to know the logic behind scanning for java apps specifically, and why it's skipping most of the lines.

Answered by GeekMasher

Jul 1, 2021

There could be a number of reasons that the CodeQL analysis only picks up X number of line of code during the build.

While compiling code, not all files / lines were build

In some cases using auto-build or manual build commands there can be some source code that isn't compiled.
These could be tests, dead code that isn't build or a few other reasons.

Unsupported Compilers

Some compilers do not work with CodeQL and can cause issues while analysing the code.
An example of this is Project Lombok where it using non-public compiler APIs in order to achieve the modifications to compiler behavior that it needs.
In doing so, it makes assumptions that are not valid for CodeQL's Java extractor s…

View full answer

smowton · 2021-06-22T14:00:59Z

smowton
Jun 22, 2021
Maintainer

We trace those particular Java files that are encountered during a particular build. If you ran mvn compile on a clean checkout, would you expect every Java file in the repository to be touched?

1 reply

niroshan Jun 24, 2021

@GeekMasher - could you lean in please

GeekMasher · 2021-07-01T16:39:27Z

GeekMasher
Jul 1, 2021

There could be a number of reasons that the CodeQL analysis only picks up X number of line of code during the build.

While compiling code, not all files / lines were build

In some cases using auto-build or manual build commands there can be some source code that isn't compiled.
These could be tests, dead code that isn't build or a few other reasons.

Unsupported Compilers

Some compilers do not work with CodeQL and can cause issues while analysing the code.
An example of this is Project Lombok where it using non-public compiler APIs in order to achieve the modifications to compiler behavior that it needs.
In doing so, it makes assumptions that are not valid for CodeQL's Java extractor so the code cannot be analyzed.

Recommendations

First is to make sure that you run the exact same build command as you would in production. This makes sure that you are tell CodeQL exactly what to build.

Secondly, I recommend downloading the CodeQL database from your Actions workflow. This can be done using the the actions/upload-artifact step after you have performed you analysis step. Example below:

# ... 
- uses: actions/upload-artifact@v2
  with:
    name: codeql-database
    path: ../codeql-database

Once you have done that, download the CodeQL Database and find the src.zip file inside the uploaded archive. Take a look and compare the source code files found in the repository and the files in the CodeQL database.

Hopefully you discover why CodeQL isn't discovering all the source code files or which are the missing and the reason why.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CodeQl scanning #6116

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

CodeQl scanning #6116

jenkinszolve Jun 21, 2021

Replies: 2 comments · 1 reply

smowton Jun 22, 2021 Maintainer

niroshan Jun 24, 2021

GeekMasher Jul 1, 2021

Recommendations

jenkinszolve
Jun 21, 2021

Replies: 2 comments 1 reply

smowton
Jun 22, 2021
Maintainer

GeekMasher
Jul 1, 2021