[Public Beta] CodeQL can scan Java and C# projects without a build #113548

coadaflorin · 2024-03-21T13:44:07Z

coadaflorin
Mar 21, 2024

A key requirement for scanning Java with CodeQL was to have a working build. We are now able to scan Java projects without the need for a working build. We really ❤️ feedback and while this feature is in a public beta we welcome feedback about this new approach for scanning Java.

June 20, 2024: CodeQL can now scan C# without a working build.

If you prefer sharing feedback directly, feel free to reach out at coadaflorin@github.com .

Who is this available for?

This is available now to all GitHub code scanning users via default setup.
This is available now to all GitHub code scanning users advanced setup. Use the build-mode: none option to trigger this behaviour.
The feature is available for Java users on CodeQL CLI starting with version 2.16.5. Use the --build-mode none option to trigger this behaviour.
The feature is available for C# users on CodeQL CLI starting with version 2.17.6. Use the --build-mode none option to trigger this behaviour.

ebickle · 2024-03-21T16:45:05Z

ebickle
Mar 21, 2024

Can you clarify how this works internally? Is there a new extractor that directly parses Java and Kotlin code (similar to Javascript, Typescript, and Python) or does it still try to run an autobuild and then try to analyze the instrumented results of the failed build?

I tried this out on a Java repository (no Kotlin code) that had never had CodeQL enabled and noticed it still ran the autobuild action.

7 replies

coadaflorin Mar 21, 2024
Author

Let us know how things go for you!

harringj Mar 26, 2024

Really excited about this new feature! @coadaflorin, is there any way to take advantage of the build-less scans if we pull dependencies through Artifactory rather than Maven central?

coadaflorin Mar 27, 2024
Author

I would love to hear more about your use-case and setup. That is something that we are currently investigating!
At the moment there's no easy way to set-up Artifactory, but there might be some short-term workarounds we can suggest. Would you mind connecting via email for a chat? My address is the coadaflorin@github.com.

Monstrosity8 Mar 18, 2025

Hey @coadaflorin, were you able to solve for the Artifactory use case?

coadaflorin Mar 18, 2025
Author

Hey @Monstrosity8 we made some progress on it. We are able to use credentials to authenticate against private registries but the configuration needs to exist in the project. (i.e. if you define you private registry in a Gradle config or Maven file then we should be able to go and find those dependencies. )

ManulBandara · 2024-03-27T10:22:46Z

ManulBandara
Mar 27, 2024

As of my last update in January 2022, CodeQL, a semantic code analysis engine developed by GitHub, allows for scanning Java projects without requiring a build. This capability enables developers to perform static analysis on Java codebases without having to compile the code first. By directly analyzing the source code, CodeQL can detect security vulnerabilities, bugs, and other issues in Java projects.

1 reply

coadaflorin Apr 4, 2024
Author

In January 2022, the statement "perform static analysis on Java codebases without having to compile the code first" was not accurate for Java which did require a manual or automated build. Starting with CodeQL 2.16.5 we ca scan Java without a build.

ghost · 2024-04-26T09:09:26Z

ghost
Apr 26, 2024

Any estimate on when this might leave public beta, and be available also for GitHub Enterprise Server?

1 reply

coadaflorin Apr 26, 2024
Author

We currently do not have a concrete date for a ship to GitHub Enterprise Server. We are going to ship this out to Enterprise Server too, we just need to complete our beta before doing so. We are happy to explore options for you to try this out during the beta. Would you mind connecting via email for a chat? My address is coadaflorin@github.com.

hicksjacobp · 2024-06-24T20:55:20Z

hicksjacobp
Jun 24, 2024

The feature is available for C# users on CodeQL CLI starting with version 2.17.6. Use the --build-mode none option to trigger this behaviour.

@coadaflorin

This statement and blog post was made on June 20, 2024.

When will 2.17.6 be available? As of June 24, 2024, I don't see any release or tag in either https://github.com/github/codeql-cli-binaries or https://github.com/github/codeql-action.

1 reply

coadaflorin Jun 25, 2024
Author

Hi @hicksjacobp 👋
2.17.6 is not out yet. We aim to release it later this week/early next week. There will be a changelog announcing the release and availability of build-mode: none.

2024-07-09T13:16:03Z

github-actions[bot]
bot Jul 9, 2024

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

Your input will be carefully reviewed and cataloged by members of our product teams.
- Due to the high volume of submissions, we may not always be able to provide individual responses.
- Rest assured, your feedback will help chart our course for product improvements.
Other users may engage with your post, sharing their own perspectives or experiences.
GitHub staff may reach out for further clarification or insight.
- We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

Upvote and comment on other user feedback Discussions that resonate with you.
Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

[Public Beta] CodeQL can scan Java and C# projects without a build #113548

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 5 comments 10 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

[Public Beta] CodeQL can scan Java and C# projects without a build #113548

Who is this available for?

Replies: 5 comments · 10 replies

coadaflorin Mar 21, 2024 Author

coadaflorin Mar 27, 2024 Author

coadaflorin Mar 18, 2025 Author

coadaflorin Apr 4, 2024 Author

coadaflorin Apr 26, 2024 Author

coadaflorin Jun 25, 2024 Author

github-actions[bot] bot Jul 9, 2024

Replies: 5 comments 10 replies

coadaflorin Mar 21, 2024
Author

coadaflorin Mar 27, 2024
Author

coadaflorin Mar 18, 2025
Author

coadaflorin Apr 4, 2024
Author

coadaflorin Apr 26, 2024
Author

coadaflorin Jun 25, 2024
Author

github-actions[bot]
bot Jul 9, 2024