[Java] Issue resolving dependences

[KylerKatz]

These are the same across both machines
Codeql CLI Version: 2.20.3
Local Codeql Files: e27d8c16729588259f8143c7ed4569d517b0de10

Hello,

I am trying to figure out an issue that I am having when it comes to getting the same results as I have on my Windows machine on my Linux machine. This first started when I cloned my work over to my Linux machine and noticed that one of my queries that works just fine on my Windows machine was failing. Some of my queries also have different results.

This leads me to think there is an issue with how the CodeQL dependencies are being resolved across my two machines. Since my Windows version is working, I decided to look into the logs.

This is what I see

[2025-05-02 15:21:36] Calling plumbing command: codeql resolve extensions-by-pack --search-path=C:\Users\kyler\OneDrive\Documents\Work\hawaii-pique-cwe200\codeql --qlconfig-file=C:\Users\kyler\OneDrive\Documents\Work\hawaii-pique-cwe200\backend\qlconfig.yml --include-extension-row-locations -- C:\Users\kyler\OneDrive\Documents\Work\hawaii-pique-cwe200\codeql\codeql-custom-queries-java
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] custom-codeql-queries: not 0.0.1 {root: custom-codeql-queries@0.0.1}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] custom-codeql-queries: 0.0.1 {custom-codeql-queries: not 0.0.1 {root: custom-codeql-queries@0.0.1}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] custom-codeql-queries: * [*], codeql/java-all: not * [*] {dependency: custom-codeql-queries@* [*] requires codeql/java-all@6.1.0}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 1] custom-codeql-queries: 0.0.1
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/java-all: * [*] {custom-codeql-queries: * [*], codeql/java-all: not * [*] {dependency: custom-codeql-queries@* [*] requires codeql/java-all@6.1.0}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/dataflow: not * [*] {dependency: codeql/java-all@* [*] requires codeql/dataflow@1.1.10-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/mad: not * [*] {dependency: codeql/java-all@* [*] requires codeql/mad@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/rangeanalysis: not * [*] {dependency: codeql/java-all@* [*] requires codeql/rangeanalysis@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/regex: not * [*] {dependency: codeql/java-all@* [*] requires codeql/regex@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/threat-models: not * [*] {dependency: codeql/java-all@* [*] requires codeql/threat-models@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/tutorial: not * [*] {dependency: codeql/java-all@* [*] requires codeql/tutorial@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/typeflow: not * [*] {dependency: codeql/java-all@* [*] requires codeql/typeflow@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/typetracking: not * [*] {dependency: codeql/java-all@* [*] requires codeql/typetracking@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/util: not * [*] {dependency: codeql/java-all@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/xml: not * [*] {dependency: codeql/java-all@* [*] requires codeql/xml@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 2] codeql/java-all: 6.1.1-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/xml: * [*] {codeql/java-all: * [*], codeql/xml: not * [*] {dependency: codeql/java-all@* [*] requires codeql/xml@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/util: * [*] {codeql/java-all: * [*], codeql/util: not * [*] {dependency: codeql/java-all@* [*] requires codeql/util@2.0.3-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/typetracking: * [*] {codeql/java-all: * [*], codeql/typetracking: not * [*] {dependency: codeql/java-all@* [*] requires codeql/typetracking@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/typeflow: * [*] {codeql/java-all: * [*], codeql/typeflow: not * [*] {dependency: codeql/java-all@* [*] requires codeql/typeflow@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/tutorial: * [*] {codeql/java-all: * [*], codeql/tutorial: not * [*] {dependency: codeql/java-all@* [*] requires codeql/tutorial@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/threat-models: * [*] {codeql/java-all: * [*], codeql/threat-models: not * [*] {dependency: codeql/java-all@* [*] requires codeql/threat-models@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/regex: * [*] {codeql/java-all: * [*], codeql/regex: not * [*] {dependency: codeql/java-all@* [*] requires codeql/regex@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/rangeanalysis: * [*] {codeql/java-all: * [*], codeql/rangeanalysis: not * [*] {dependency: codeql/java-all@* [*] requires codeql/rangeanalysis@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/mad: * [*] {codeql/java-all: * [*], codeql/mad: not * [*] {dependency: codeql/java-all@* [*] requires codeql/mad@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/dataflow: * [*] {codeql/java-all: * [*], codeql/dataflow: not * [*] {dependency: codeql/java-all@* [*] requires codeql/dataflow@1.1.10-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/dataflow: * [*], codeql/ssa: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/ssa@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/dataflow: * [*], codeql/typetracking: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/typetracking@1.0.16-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/dataflow: * [*], codeql/util: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 3] codeql/dataflow: 1.1.10-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/ssa: * [*] {codeql/dataflow: * [*], codeql/ssa: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/ssa@1.0.16-dev}}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/mad: * [*], codeql/dataflow: not * [*] {dependency: codeql/mad@* [*] requires codeql/dataflow@1.1.10-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/mad: * [*], codeql/util: not * [*] {dependency: codeql/mad@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 4] codeql/mad: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/rangeanalysis: * [*], codeql/util: not * [*] {dependency: codeql/rangeanalysis@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 5] codeql/rangeanalysis: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/regex: * [*], codeql/util: not * [*] {dependency: codeql/regex@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 6] codeql/regex: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/ssa: * [*], codeql/util: not * [*] {dependency: codeql/ssa@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 7] codeql/ssa: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 8] codeql/threat-models: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 9] codeql/tutorial: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/typeflow: * [*], codeql/util: not * [*] {dependency: codeql/typeflow@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 10] codeql/typeflow: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/typetracking: * [*], codeql/util: not * [*] {dependency: codeql/typetracking@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 11] codeql/typetracking: 1.0.16-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 12] codeql/util: 2.0.3-dev
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/xml: * [*], codeql/util: not * [*] {dependency: codeql/xml@* [*] requires codeql/util@2.0.3-dev}
[2025-05-02 15:21:36] [SPAMMY] resolve extensions-by-pack> [DECISION 13] codeql/xml: 1.0.16-dev

Now here is my qlpack.yml located at codeql/codeql-custom-queries-java/qlpack.yml

---
library: false
warnOnImplicitThis: false
name: custom-codeql-queries
version: 0.0.1
dependencies:
  codeql/java-all: 6.1.0
libraries:
  - name: SensitiveInfo
    path: /SensitiveInfo
dataExtensions:
  - SensitiveInfo/*.yml

Here is also my codeql-pack.lock.yml

---
lockVersion: 1.0.0
dependencies:
  codeql/dataflow:
    version: 1.1.9
  codeql/java-all:
    version: 6.1.0
  codeql/mad:
    version: 1.0.15
  codeql/rangeanalysis:
    version: 1.0.15
  codeql/regex:
    version: 1.0.15
  codeql/ssa:
    version: 1.0.15
  codeql/threat-models:
    version: 1.0.15
  codeql/tutorial:
    version: 1.0.15
  codeql/typeflow:
    version: 1.0.15
  codeql/typetracking:
    version: 1.0.15
  codeql/util:
    version: 2.0.2
  codeql/xml:
    version: 1.0.15
compiled: false

What sticks out to me is that all the versions in the logs have -dev at the end of them. So they are not using what is in these two files. I am unsure why. Due to the queries running just fine, with the -dev. I updated my qlpack.yml to use those versions instead. So that now it is

name: custom-codeql-queries
version: 0.0.1
library: false
warnOnImplicitThis: false

dependencies:
  codeql/java-all: 6.1.1-dev
  codeql/dataflow: 1.1.10-dev
  codeql/mad: 1.0.16-dev
  codeql/rangeanalysis: 1.0.16-dev
  codeql/regex: 1.0.16-dev
  codeql/threat-models: 1.0.16-dev
  codeql/tutorial: 1.0.16-dev
  codeql/typeflow: 1.0.16-dev
  codeql/typetracking: 1.0.16-dev
  codeql/util: 2.0.3-dev
  codeql/xml: 1.0.16-dev
  codeql/ssa: 1.0.16-dev

libraries:
  - name: SensitiveInfo
    path: /SensitiveInfo

dataExtensions:
  - SensitiveInfo/*.yml

However, when I do codeql pack install my codeql-pack.lock.yml becomes

---
lockVersion: 1.0.0
dependencies: {}
compiled: false

I believe this indicates that those versions can't be found.

For reference, here is what my Linux machine outputs

[2025-05-03 01:03:28] Calling plumbing command: codeql resolve extensions-by-pack --search-path=/app/codeql --qlconfig-file=/app/backend/qlconfig.yml --include-extension-row-locations -- /app/codeql/codeql-custom-queries-java
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] custom-codeql-queries: not 0.0.1 {root: custom-codeql-queries@0.0.1}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] custom-codeql-queries: 0.0.1 {custom-codeql-queries: not 0.0.1 {root: custom-codeql-queries@0.0.1}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] custom-codeql-queries: * [*], codeql/java-all: not * [*] {dependency: custom-codeql-queries@* [*] requires codeql/java-all@6.1.0}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 1] custom-codeql-queries: 0.0.1
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/java-all: * [*] {custom-codeql-queries: * [*], codeql/java-all: not * [*] {dependency: custom-codeql-queries@* [*] requires codeql/java-all@6.1.0}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/dataflow: not * [*] {dependency: codeql/java-all@* [*] requires codeql/dataflow@0.2.1}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/mad: not * [*] {dependency: codeql/java-all@* [*] requires codeql/mad@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/rangeanalysis: not * [*] {dependency: codeql/java-all@* [*] requires codeql/rangeanalysis@0.0.9}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/regex: not * [*] {dependency: codeql/java-all@* [*] requires codeql/regex@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/threat-models: not * [*] {dependency: codeql/java-all@* [*] requires codeql/threat-models@0.0.9}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/tutorial: not * [*] {dependency: codeql/java-all@* [*] requires codeql/tutorial@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/typetracking: not * [*] {dependency: codeql/java-all@* [*] requires codeql/typetracking@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/java-all: * [*], codeql/util: not * [*] {dependency: codeql/java-all@* [*] requires codeql/util@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 2] codeql/java-all: 0.8.10
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/util: * [*] {codeql/java-all: * [*], codeql/util: not * [*] {dependency: codeql/java-all@* [*] requires codeql/util@0.2.10}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/typetracking: * [*] {codeql/java-all: * [*], codeql/typetracking: not * [*] {dependency: codeql/java-all@* [*] requires codeql/typetracking@0.2.10}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/tutorial: * [*] {codeql/java-all: * [*], codeql/tutorial: not * [*] {dependency: codeql/java-all@* [*] requires codeql/tutorial@0.2.10}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/threat-models: * [*] {codeql/java-all: * [*], codeql/threat-models: not * [*] {dependency: codeql/java-all@* [*] requires codeql/threat-models@0.0.9}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/regex: * [*] {codeql/java-all: * [*], codeql/regex: not * [*] {dependency: codeql/java-all@* [*] requires codeql/regex@0.2.10}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/rangeanalysis: * [*] {codeql/java-all: * [*], codeql/rangeanalysis: not * [*] {dependency: codeql/java-all@* [*] requires codeql/rangeanalysis@0.0.9}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/mad: * [*] {codeql/java-all: * [*], codeql/mad: not * [*] {dependency: codeql/java-all@* [*] requires codeql/mad@0.2.10}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/dataflow: * [*] {codeql/java-all: * [*], codeql/dataflow: not * [*] {dependency: codeql/java-all@* [*] requires codeql/dataflow@0.2.1}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/dataflow: * [*], codeql/ssa: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/ssa@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/dataflow: * [*], codeql/typetracking: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/typetracking@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/dataflow: * [*], codeql/util: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/util@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 3] codeql/dataflow: 0.2.1
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DERIVATION] codeql/ssa: * [*] {codeql/dataflow: * [*], codeql/ssa: not * [*] {dependency: codeql/dataflow@* [*] requires codeql/ssa@0.2.10}}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 4] codeql/mad: 0.2.10
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/rangeanalysis: * [*], codeql/util: not * [*] {dependency: codeql/rangeanalysis@* [*] requires codeql/util@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 5] codeql/rangeanalysis: 0.0.9
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/regex: * [*], codeql/util: not * [*] {dependency: codeql/regex@* [*] requires codeql/util@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 6] codeql/regex: 0.2.10
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/ssa: * [*], codeql/util: not * [*] {dependency: codeql/ssa@* [*] requires codeql/util@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 7] codeql/ssa: 0.2.10
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 8] codeql/threat-models: 0.0.9
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 9] codeql/tutorial: 0.2.10
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [INCOMPATIBILITY] codeql/typetracking: * [*], codeql/util: not * [*] {dependency: codeql/typetracking@* [*] requires codeql/util@0.2.10}
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 10] codeql/typetracking: 0.2.10
[2025-05-03 01:03:28] [SPAMMY] resolve extensions-by-pack> [DECISION 11] codeql/util: 0.2.10

So, to see if I could get it to work on Linux, I used the updated qlpack.yml on that machine and got this

# cat qlpack.yml
name: custom-codeql-queries
version: 0.0.1
library: false
warnOnImplicitThis: false

dependencies:
  codeql/java-all: 6.1.1-dev
  codeql/dataflow: 1.1.10-dev
  codeql/mad: 1.0.16-dev
  codeql/rangeanalysis: 1.0.16-dev
  codeql/regex: 1.0.16-dev
  codeql/threat-models: 1.0.16-dev
  codeql/tutorial: 1.0.16-dev
  codeql/typeflow: 1.0.16-dev
  codeql/typetracking: 1.0.16-dev
  codeql/util: 2.0.3-dev
  codeql/xml: 1.0.16-dev
  codeql/ssa: 1.0.16-dev

libraries:
  - name: SensitiveInfo
    path: /SensitiveInfo

dataExtensions:
  - SensitiveInfo/*.yml

# codeql pack install
ERROR: No valid pack solution found:
Because 'custom-codeql-queries' depends on 'codeql/typeflow@1.0.16-dev', which does not match any available versions of 'codeql/typeflow', version solving failed.
 (/app/codeql/codeql-custom-queries-java/qlpack.yml:1,1-1)
A fatal error occurred: A 'codeql pack resolve-dependencies' operation failed with error code 2

This is telling me that that dependence doesn't exist, which confuses me because they both have the same ql lib files from the tree at the beginning of this post.

For reference, this query works fine on my Windows machine

/**
 * @name CWE-204: Observable discrepancies in sensitive error messages
 * @description Detects if statements within sensitive contexts that produce different error messages based on conditional branches, which could lead to observable discrepancies.
 * @kind problem
 * @problem.severity warning
 * @id java/error-message-discrepancies/204
 * @tags security
 *       external/cwe/cwe-204
 * @cwe CWE-204
 */

 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.SensitiveActions
 import semmle.code.java.controlflow.Guards
 
 // Class for String literals potentially used in observable discrepancies
 class SensitiveMessageLiteral extends StringLiteral {
   SensitiveMessageLiteral() {
     this.getValue().regexpMatch(".*(Login Successful|Invalid password|Invalid username|Access (Granted|Denied)|Verification (Successful|Failed)|Authentication (Successful|Failed)|User not found|Password cannot be empty|Username cannot be empty|Input cannot be null|Input cannot be empty|'admin' is a reserved keyword|Verification Successful: Email found in system|Verification Failed: Email not registered|Access Granted: Admin has full access|Access Granted: User can access public files|Access Denied: User cannot access private files|Access Denied: Unknown role|Download Authorized|Download Denied: Insufficient privileges|Authentication Successful: Device recognized|Authentication Failed: Device not recognized in local network|Authentication Failed: Unknown device).*")
   }
 }
 
 from IfStmt outerIf, IfStmt innerIf, SensitiveMessageLiteral innerVal, SensitiveMessageLiteral outerVal
 where
   // Check if the innerIf is directly within the body of outerIf
   outerIf.getAChild*() = innerIf and
   // Check for specific message literals in the then and else branches of the inner if-statement and the else branch of the outer if-statement
   innerIf.getElse().getBasicBlock().getANode().asExpr() = innerVal and
   outerIf.getElse().getBasicBlock().getANode().asExpr() = outerVal and
   // Ensure the innerIf and outerIf are not the same
   innerVal.getValue() != outerVal.getValue()
   
 select outerIf.getBasicBlock(), "CWE-204: Observable discrepancies due to different error messages in nested if-statements."

However, I get this on the Linux one
ERROR: asExpr() cannot be resolved for type ControlFlowGraph::ControlFlowNode (/app/codeql/codeql-custom-queries-java/CWE-204/cwe204-nested-condition.ql:29,49-55)

I am thinking that because my Windows machine was my main development machine, that might be why things are different. As I have upgraded versions over time. I would appreciate any help with this, as getting the dependices for CodeQL correct is not my string suite. I can also send the full logs if that is needed as well. Thank you.

[redsun82]

👋 @KylerKatz

Sorry for getting back to you this late!

I didn't get to really reproduce your problem yet, but my hunch would be that on your development Windows machine CodeQL was picking up your local codeql repo checkout packs (that's where the -dev comes from) rather than released packs. This might have been caused by flags passed to the very first codeql pack install you issued there, or maybe some hidden options in the ~/.config/codeql/config file.

In order for your query pack to work on your new Linux workstation, you might have some luck with updating the version your pack relies on, as you might have been relying on features that where not yet in the dependencies of the 6.1.0 release of the codeql/java-all pack. Each time we release a pack, the version in the codeql repo gets bumped up with a -dev prefix, so the 6.1.1-dev your windows machine resolves to would indeed point to it being the version in a checked out codeql repository at the time the 6.1.0 was the latest released pack.

Therefore, you could try bumping up the codeql/java-all dependency to 6.1.1, or even to the most recent one (7.1.4). Let me know if that solves your problem!

[github-actions]

This issue is stale because it has been open 14 days with no activity. Comment or remove the Stale label in order to avoid having this issue closed in 7 days.

[github-actions]

This issue was closed because it has been inactive for 7 days.