search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.53k stars 1.5k forks source link

CodeQL v2.14.5 failed to extract Lombok files. #14316

Closed 33yan closed 12 months ago

33yan commented 12 months ago

Hi, my project uses Gradle for building and also includes the Lombok component. However, when creating the CodeQL database, I noticed that the code using Lombok is not being extracted into the database.

I am using CodeQL version v2.14.5, and I have seen an official blog post stating that Lombok extraction is supported starting from v2.14.4. ref:https://github.blog/changelog/2023-09-01-code-scanning-with-codeql-improves-support-for-java-codebases-that-use-project-lombok/

I would like to know if there is something wrong with my setup or if there are additional settings required. Below is the process I followed:

set PATH=C:\Program Files\Java\jdk1.8.0_261\bin;%PATH%
set CODEQL_EXTRACTOR_JAVA_RUN_ANNOTATION_PROCESSORS=true
codeql database create qldb_myapp -l java -s myapp -c "gradle --no-daemon clean build -x test"

In my Gradle configuration for Lombok dependencies, I have the following:

dependencies {
  compileOnly "org.projectlombok:lombok"
  annotationProcessor "org.projectlombok:lombok"
}
aibaars commented 12 months ago

I think you set the correct environment variables, so that should work. Perhaps double-check codeql version. Did you look for error messages in the log files in qldb_myapp/logs ?

33yan commented 12 months ago

It was my oversight. Due to not seeing any Lombok-related code files in the source code archive of the VS Code plugin, I mistakenly believed that the extraction was not successful. Does this mean that files that use Lombok will not be extracted into the source code archive?

aibaars commented 12 months ago

It was my oversight. Due to not seeing any Lombok-related code files in the source code archive of the VS Code plugin, I mistakenly believed that the extraction was not successful. Does this mean that files that use Lombok will not be extracted into the source code archive?

Files containing Lombok annotations should appear in the source archive. If files are skipped there should be messages like the following in the log files: Skipping Lombok-ed source file.

33yan commented 12 months ago

It was my oversight. Due to not seeing any Lombok-related code files in the source code archive of the VS Code plugin, I mistakenly believed that the extraction was not successful. Does this mean that files that use Lombok will not be extracted into the source code archive?

Files containing Lombok annotations should appear in the source archive. If files are skipped there should be messages like the following in the log files: Skipping Lombok-ed source file.

Thanks for your guidance, this issue can be removed ~