With the 2.16.5
release of CodeQL, we’re introducing a new mechanism for creating a CodeQL database for Java codebases, without relying on a build. This enables organizations to more easily adopt CodeQL for Java projects at scale. Note: this release announcement contains details for users of the CodeQL CLI and advanced setup for code scanning. If you’re using GitHub code scanning default setup (which is powered by the CodeQL engine), this related release announcement will likely contain the information you’re looking for.
Previously, CodeQL required a working build to analyze Java projects. This could either be automatically detected or manually specified. Starting with CodeQL 2.16.5
, you can now scan Java code without the need for a build. Our large-scale testing has shown that CodeQL can be successfully enabled for over 90% of Java repos without manual intervention.
This feature is currently in public beta and is accessible to all GitHub.com advanced setup for code scanning and CodeQL CLI users scanning Java code:
- Repositories using advanced setup for code scanning via workflow files will have the option to choose a
build-mode
. The default value for newly configured Java repos will be build-mode: none
.
-
CodeQL CLI users will not experience any change in the default behaviour, for compatibility with existing workflows. Users that want to enable this feature can now use the --build-mode none
option. Generally, we also recommend users set the --build-mode
option when using the CLI to make it easier to debug and persist the configuration should default behaviour change at any point in the future.
codeql database create test_no_build_db --language java --build-mode none
- Repositories containing a mix of Kotlin and Java code still require a working build for CodeQL analysis.
The new mechanism for scanning Java is available on GitHub.com and in CodeQL CLI 2.16.5
. While in public beta, this feature will not be available on GitHub Enterprise Server for default setup or advanced setup for code scanning. As we continue to work on scanning Java projects without the need for working builds, send us your feedback.