Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to load Java property files for CodeQL analysis #4500

Closed
carlpulley opened this issue Oct 16, 2020 · 4 comments
Closed

How to load Java property files for CodeQL analysis #4500

carlpulley opened this issue Oct 16, 2020 · 4 comments
Labels
Java question Further information is requested

Comments

@carlpulley
Copy link

How to load Java property files for CodeQL analysis

I'm using CodeQL CLI version 1.25.0 to analyse a Java Spring project that is built using Gradle 6.5.1.

When creating the query database, I'm able to create it such that both main and test Java files are present.

However, the property files in main/resources and test/resources fail to be included in the query database - I'm able to confirm this by:

  • using Visual Studio Code to navigate the CodeQL source DB and observe that no property files are present within the directory structure (which is also verified by repeating the search at the command by unzipping source_db/src.zip)
  • using CodeQL and running the query from JavaProperty prop select prop to observe no results are returned.

I've attempted to load property files by specifying the relevant Spring active profile (e.g. by passing -Dspring.active.profile=XXX to the ./gradlew clean compile command as passed to CodeQL), but have not changed my outcomes.

Any pointers, tips, ideas, etc. as to how to get Spring property files loaded into CodeQL for analysis are greatly appreciated.
@carlpulley carlpulley added the question Further information is requested label Oct 16, 2020
@carlpulley
Copy link
Author

I should point out that I've tried the obvious variant of the index-files trick detailed on #3887 for the java language - unfortunately, the java extractor has no file indexing capability and so trying to index .properties files failed for myself.

@Marcono1234
Copy link
Contributor

Marcono1234 commented Mar 3, 2021
edited
Loading

Similar to #3945 (comment), it appears there is an environment variable LGTM_INDEX_PROPERTIES_FILES; setting it to true might solve this.

Additionally the java/tools/pre-finalize.sh script uses --include-extension=.properties --language properties; maybe you could use that with the steps provided in #3887 (comment)?

@carlpulley
Copy link
Author

@Marcono1234 thanks for this and for pointing out those useful references.

I'm now able to confirm that with the line:

codeql database index-files --language properties --include-extension .properties --working-dir=/opt/src /opt/results

I can observe that property files are being indexed into my CodeQL databases.

From my PoV, this issue is now resolved.

@Marcono1234
Copy link
Contributor

No problem, though maybe it would be good to create a new issue for including certain Properties files?
I am not familiar with Spring, but it appears application.properties is a file which is recognized by default; are there more?

For #3945, struts.xml was added to the default indexed XML files, so maybe the maintainers could change CodeQL CLI to index certain Spring Properties files as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Java question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carlpulley @Marcono1234 @aschackmull