(Java) How to create database for Apache Dubbo project to include all source of its dependency?

[skypean]

I'm trying to create a database for Apache Dubbo to analyze its vulnerabilities. I build the dubbo-samples-http using the command "mvn clean package", but I can only get the source code inside the folder.

Is this possible to include both source of its dependency in the databases? The vulnerability is in its' dependency code, and without it, I can't analyze it using codeQL!

Link of dubbo-samples-http: https://github.com/apache/dubbo-samples

[smowton]

Can you analyse just the dependency, or do you need both application and library available in the same database?

If the latter, you should extract using a build command (e.g. a small shell script) that builds both projects that you're interested in, and set codeql database create's --source-root option (default: the working directory from which it was invoked) to some directory that contains the source code of both projects, e.g. a parent directory whose immediate children are dubbo-samples and some-dependency-project

[skypean]

Thanks. I tried and successfully created databases with its' dependency project for analyse!