github
CodeQL 2.19.1 does not work with Java 23 projects
After upgrading to CodeQL 2.19.1 to get Java 23 support (see issue #17564), the Java 23 project is still not analyzed successfully by CodeQL.
Example project here: https://github.com/danishnawab/codeql-java23/tree/master
Java 23
The master branch is set up with Java 23 -> CodeQL analysis fails
codeql --version
Output:
CodeQL command-line toolchain release 2.19.1. Copyright (C) 2019-2024 GitHub, Inc. Unpacked in: ~/codeql Analysis results depend critically on separately distributed query and extractor modules. To list modules that are visible to the toolchain, use 'codeql resolve qlpacks' and 'codeql resolve languages'.
codeql database create java-testing-repo --language=java --source-root=. --command="./gradlew clean assemble --no-build-cache" --overwrite
Output:
Initializing database at ~/codeql-java23/java-testing-repo. Running build command: [./gradlew, clean, assemble, --no-build-cache] Running command in ~/codeql-java23: [./gradlew, clean, assemble, --no-build-cache] [2024-10-08 10:20:08] [build-stdout] > Task :clean UP-TO-DATE [2024-10-08 10:20:08] [build-stdout] > Task :compileJava [2024-10-08 10:20:08] [build-stdout] > Task :processResources [2024-10-08 10:20:08] [build-stdout] > Task :classes [2024-10-08 10:20:08] [build-stdout] > Task :resolveMainClassName [2024-10-08 10:20:09] [build-stdout] > Task :bootJar [2024-10-08 10:20:09] [build-stdout] > Task :jar [2024-10-08 10:20:09] [build-stdout] > Task :assemble [2024-10-08 10:20:09] [build-stdout] BUILD SUCCESSFUL in 983ms [2024-10-08 10:20:09] [build-stdout] 6 actionable tasks: 5 executed, 1 up-to-date Finalizing database at ~/codeql-java23/java-testing-repo. CodeQL detected code written in Java/Kotlin but could not process any of it. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build.
Exit status: 32
Java 22
The java22 branch is set up with Java 22 -> CodeQL analysis succeeds
codeql --version
Output:
CodeQL command-line toolchain release 2.19.1. Copyright (C) 2019-2024 GitHub, Inc. Unpacked in:~/codeql Analysis results depend critically on separately distributed query and extractor modules. To list modules that are visible to the toolchain, use 'codeql resolve qlpacks' and 'codeql resolve languages'.
codeql database create java-testing-repo --language=java --source-root=. --command="./gradlew clean assemble --no-build-cache" --overwrite
Initializing database at ~/codeql-java23/java-testing-repo. Running build command: [./gradlew, clean, assemble, --no-build-cache] Running command in ~/codeql-java23: [./gradlew, clean, assemble, --no-build-cache] [2024-10-08 10:26:08] [build-stdout] > Task :clean [2024-10-08 10:26:13] [build-stdout] > Task :compileJava [2024-10-08 10:26:13] [build-stdout] > Task :processResources [2024-10-08 10:26:13] [build-stdout] > Task :classes [2024-10-08 10:26:13] [build-stdout] > Task :resolveMainClassName [2024-10-08 10:26:13] [build-stdout] > Task :bootJar [2024-10-08 10:26:13] [build-stdout] > Task :jar [2024-10-08 10:26:13] [build-stdout] > Task :assemble [2024-10-08 10:26:13] [build-stdout] BUILD SUCCESSFUL in 5s [2024-10-08 10:26:13] [build-stdout] 6 actionable tasks: 6 executed Finalizing database at ~/codeql-java23/java-testing-repo. Running pre-finalize script ~/codeql/java/tools/pre-finalize.sh in ~/codeql-java23. Running command in ~/codeql-java23: [~/codeql/java/tools/pre-finalize.sh] [2024-10-08 10:26:14] [build-stderr] Scanning for files in ~/codeql-java23... [2024-10-08 10:26:14] [build-stderr] ~/codeql-java23/java-testing-repo: Indexing files in in ~/codeql-java23... [2024-10-08 10:26:14] [build-stderr] Running command in ~/codeql-java23: [~/codeql/xml/tools/index-files.sh, ~/codeql-java23/java-testing-repo/working/files-to-index11292473239882580179.list] [2024-10-08 10:26:15] [build-stderr] Scanning for files in ~/codeql-java23... [2024-10-08 10:26:15] [build-stderr] ~/codeql-java23/java-testing-repo: Indexing files in in ~/codeql-java23... [2024-10-08 10:26:15] [build-stderr] Running command in ~/codeql-java23: [~/codeql/properties/tools/index-files.sh, ~/codeql-java23/java-testing-repo/working/files-to-index1093484879480739341.list] Running TRAP import for CodeQL database at ~/codeql-java23/java-testing-repo... Importing TRAP files Merging relations Finished writing database (relations: 2.41 MiB; string pool: 2.78 MiB). TRAP import complete (1.2s). Finished zipping source archive (5.37 KiB). Successfully created database at ~/codeql-java23/java-testing-repo.
Exit status: 0
The Java version is the only difference between the 2 branches: https://github.com/danishnawab/codeql-java23/compare/master...java22
👋 @danishnawab thanks a lot for reaching out to us! I will call in the team working on java support on this. In the meantime, it seems like https://github.com/danishnawab/codeql-java23/ is private: I'm guessing it's a small reproducer and it can be made public? That would be much appreciated!
Ah yes, the intention was to have it public. I have updated the visibility now to make it public.
The cause is that the sample project there uses --release 23, indicating intention to use Java 23 language features; however all the Java 23 specific language features are previews or incubators, which we don't support in general.
What is supported at this point is use of the Java 23 toolchain building to a Java 22 or lower language version.
@smowton the intention is to use Java 23. The stable libraries and language features.
To use preview features one needs to additionally provide the --enable-preview flag.
In this case, I have no intention to use the preview features, but I still want to run JDK 23 as each version of Java supersedes the older one. Can you advise what the way forward is here? When will full Java 23 (minus preview features) support arrive?
In the short term can you just pass -source 22 -target 22 to get the result you want?
No that doesn't work because we have a large number of services in my organization - an enterprise Github support customer - where we want to use Java 23 library and runtime updates. In the short term we will not be able to use CodeQL then.
I'll have a go at getting full Java 23 support in time for CodeQL 2.19.2, but no promises -- upgrading the OpenJDK components varies quite a lot in difficulty from JDK release to release!
Ok, we will wait then. The same situation might arise for future releases, so direct support of new Java source versions (even if nothing has changed) would be desired.
Yes, this is always intended. We don't anticipate any difficulties on future JDK releases.
The full upgrade turned out to be pretty straightforward this cycle. You should find Java 23 is fully supported (except preview / incubating features) as of CodeQL 2.19.2.
Thank you @smowton. Could you also comment on how the support for future versions (minus preview/incubator features) will look like? How soon after a new version release can full support be expected? This will be valuable information for many organization to plan their upgrade paths.
In the normal course of things, there should be full support for non-preview/incubator features on JDK release day.
@smowton given that the release candidate builds for Java 24 are available already, what is your roadmap for Java 24 support? Is it possible to add support for this in time for the GA release (March 18, 2025)? I can log a dedicated issue for this if you like.