No findings when manual (bazel) build-mode

[Pabloo-ss]

Description of the issue

I am trying to use code scanning in two of my projects (a Java and a Go app), both using bazel as building tool. I set manual as build-mode and write the building command:

bazel build //<target>

The problems I encountered are:

• Java app fail at running the building bazel command and I couldn't figure out why.
• Go app compilation is successfully completed but no alert is created (I manually included vulnerable code). Nonetheless, when I set buid-mode to autobuild, an alert is created.

What I want to know if codeQL (and therefore GH code scanning) works properly when bazel comes into play? Does it need additional set up?

Thanks in advance!!

[mbg]

Hi @Pabloo-ss 👋🏻

Thanks for the question. Firstly, for Go, we do not support builds with Bazel. That is because Bazel does not use the ordinary Go build tooling (i.e. go build) under the hood when building Go applications. Unfortunately it is not straightforward to add support for the way that Bazel builds Go projects. We monitor how much demand there is for this and may look into adding support in the future, but we do not currently have any plans to work on this.

For Java, we do support Bazel-based builds and have an example in our documentation:

# Navigate to the Bazel workspace.

# Before building, remove cached objects
# and stop all running Bazel server processes.
bazel clean --expunge

# Build using the following Bazel flags, to help CodeQL detect the build:
# `--spawn_strategy=local`: build locally, instead of using a distributed build
# `--nouse_action_cache`: turn off build caching, which might prevent recompilation of source code
# `--noremote_accept_cached`, `--noremote_upload_local_results`: avoid using a remote cache
# `--disk_cache=`: avoid using a disk cache. Note that a disk cache is no longer considered a remote cache as of Bazel 6.
codeql database create new-database --language=<language> \
--command='bazel build --spawn_strategy=local --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --disk_cache= //path/to/package:target'

# After building, stop all running Bazel server processes.
# This ensures future build commands start in a clean Bazel server process
# without CodeQL attached.
bazel shutdown

[Pabloo-ss]

Hello!
Its a pity to hear from Go not being supported, we would love to see it...
I managed to get results out of Java, and C++ too!!
Thanks a lot for your replay :)

[mbg]

Great to hear you got this to work for Java and C++! I will go ahead and close this issue then.