New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[master] Better config for CodeQL analysis #1160
Conversation
2e17556
to
9253065
Compare
pull_request: | ||
# The branches below must be a subset of the branches above | ||
branches: [master] | ||
branches: * |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keep only master; there are different configs needed for other versions (3.0 and 2.7 require Java SE 8 for build; CodeQL would be nice to have there; 2.6 (and older) should be completely excluded)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I'll add configs for 3.0 and 2.7.
2.6 (and older) should be completely excluded
Are they not supported any more?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note that 2.x do use ant for the build (see ie travis config in the branch or specific build instructions)
for 2.6 and older there is only very limited support; it does not make sense to consume too much resources for that these days
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note that 2.x do use ant for the build (see ie travis config in the branch or specific build instructions)
Hope CodeQL can work with Ant.
for 2.6 and older there is only very limited support; it does not make sense to consume too much resources for that these days
Agree. Would it still make sense to fix severe security issues if CodeQL finds them in 2.6 and older?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
those would be present in master/3.0 and 2.7 as well. Everything going to 2.6 must go through newer versions first.
Signed-off-by: Artem Smotrakov <artem.smotrakov@gmail.com>
9253065
to
1412c2b
Compare
Updates:
-Denforcer.skip
has been added to the build command. LGTM uses Maven 3.6.0 by default that works for EclipseLink.Updated the CodeQL workflow to analyse pull requests against all branches, not only master.Java build passes with the updated config:
https://lgtm.com/logs/6866d0b9a7d8f2f98e882d4e5a0115c8d1efab85/lang:java
Fixes #1159
Signed-off-by: Artem Smotrakov artem.smotrakov@gmail.com