[Public Beta] CodeQL can scan Java projects without a build

[coadaflorin]

Select Topic Area

Product Feedback

Body

A key requirement for scanning Java with CodeQL was to have a working build. We are now able to scan Java projects without the need for a working build. We really ❤️ feedback and while this feature is in a public beta we welcome feedback about this new approach for scanning Java.

Who is this available for?

This feature is available now to all GitHub code scanning users via default setup.

[ebickle]

Can you clarify how this works internally? Is there a new extractor that directly parses Java and Kotlin code (similar to Javascript, Typescript, and Python) or does it still try to run an autobuild and then try to analyze the instrumented results of the failed build?

I tried this out on a Java repository (no Kotlin code) that had never had CodeQL enabled and noticed it still ran the autobuild action.

[coadaflorin]

Hey @ebickle! We always directly scan the source code, but for static languages like Java we need additional information to produce accurate results.
The Autobuild action itself will still run, but if you expand that you'll notice a message that indicates we are not using a build. The step is still there, but there won't be an actual build happening. Here's an example: https://github.com/fnc-test/AltoroJ2/actions/runs/8290693802/job/22689162296#step:4:80

If you visit the Tool Status Page you will also see an indication of this happening.

[ebickle]

@coadaflorin Thanks! I see what's happening now - it's triggering Maven to download dependencies (and potentially other tasks) and getting a BUILD SUCCESS message as a result, even though it's not actually running through a compilation. Very cool!

[coadaflorin]

Let us know how things go for you!