How to load Java property files for CodeQL analysis

[carlpulley]

How to load Java property files for CodeQL analysis

I'm using CodeQL CLI version 1.25.0 to analyse a Java Spring project that is built using Gradle 6.5.1.

When creating the query database, I'm able to create it such that both main and test Java files are present.

However, the property files in main/resources and test/resources fail to be included in the query database - I'm able to confirm this by:

• using Visual Studio Code to navigate the CodeQL source DB and observe that no property files are present within the directory structure (which is also verified by repeating the search at the command by unzipping source_db/src.zip)
• using CodeQL and running the query from JavaProperty prop select prop to observe no results are returned.

I've attempted to load property files by specifying the relevant Spring active profile (e.g. by passing -Dspring.active.profile=XXX to the ./gradlew clean compile command as passed to CodeQL), but have not changed my outcomes.

Any pointers, tips, ideas, etc. as to how to get Spring property files loaded into CodeQL for analysis are greatly appreciated.

[carlpulley]

I should point out that I've tried the obvious variant of the index-files trick detailed on #3887 for the java language - unfortunately, the java extractor has no file indexing capability and so trying to index .properties files failed for myself.

[Marcono1234]

Similar to #3945 (comment), it appears there is an environment variable LGTM_INDEX_PROPERTIES_FILES; setting it to true might solve this.

Additionally the java/tools/pre-finalize.sh script uses --include-extension=.properties --language properties; maybe you could use that with the steps provided in #3887 (comment)?

[carlpulley]

@Marcono1234 thanks for this and for pointing out those useful references.

I'm now able to confirm that with the line:

codeql database index-files --language properties --include-extension .properties --working-dir=/opt/src /opt/results

I can observe that property files are being indexed into my CodeQL databases.

From my PoV, this issue is now resolved.

[Marcono1234]

No problem, though maybe it would be good to create a new issue for including certain Properties files?
I am not familiar with Spring, but it appears application.properties is a file which is recognized by default; are there more?

For #3945, struts.xml was added to the default indexed XML files, so maybe the maintainers could change CodeQL CLI to index certain Spring Properties files as well.