I'm just getting started with CodeQL and have had plenty of success scanning Python projects. Now, I'm starting to scan Java projects, and I struggle to scan precompiled projects.
From what I gathered, it appears CodeQL CLI includes an autobuilder for Java code and will build the projects for me. I'm trying to scan projects already compiled from the Maven central repository.
Question:
- Is it possible to scan compiled Java source code (i.e., bytecode, class files) contained within a JAR file with CodeQL?
- If so, how can I invoke these properties to scan JAR files from the CLI?
Thanks for any insight!
CodePudding user response:
From what I read, it does not seem to work on compiled classes. You will need the src code, whether that exists as a (Jar, which then you need to unzip before processing), or a Github project.
Usually during running you would provide the way to build your project, such as --language=java --command='mvn clean install -DskipTests'
<-- This requires source code.