Open revblock opened 1 year ago
Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at codeql/tools/osx64/java
.
It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.
Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors
You can get more info on what precisely is going wrong by enabling SSL debug logging: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html
Sorry for the slow reply.
Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at
codeql/tools/osx64/java
.It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.
Yes I'm running it locally.
Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors
You can get more info on what precisely is going wrong by enabling SSL debug logging: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html
I tried to do this before but since I don't have any Java tooling installed I don't have a $JAVA_HOME
env variable and therefore no keystore with that value so I'm not sure how I would add the certificate for it.
You can try setting JAVA_HOME
to ....../codeql/tools/osx64/java
. And note that you will need to re-add the cert each time you upgrade your codeql versions.
Facing same issue with Windows Local machine. Here I am trying to install/download cpp/queries packages.
codeql pack download codeql/cpp-queries
Package installation location: C:\Users\shravan.codeql\packages A fatal error occurred: Could not create access credentials for codeql/cpp-queries. (eventual cause: SunCertPathBuilderException "unable to find valid certification path to requested target")
Can anyone please help me on this?
There's not much more I can suggest other than going through the steps above. Please confirm to me that you've tried them.
echo | openssl s_client -showcerts -servername ghcr.io -connect ghcr.io:443 > ghcr-certificates.pem
keytool -import -alias ghcr -keystore "<codeql-home>/codeql/tools/osx64/java/lib/security/cacerts" -file ghcr-certificates.pem
When I try to run
codeql pack download ...
I get the following error.This is on a computer that has a self signed certificate in the chain. For most of the tools I use there's a way to include these certificates with an environment variable or enable it to pick up the configuration with the certificate installed. I can't figure out a way to do that in this case though.
A lot of the examples online are specific to fixing this issue for JRE/JDK which I don't have, I'm just running the codeql mac os binary.
Thanks,