Re: [nebula-dev] Help with CodeQL

[Laurent Caron <laurent.caron@xxxxxxxxx>]

Hi Folks 

As far as I remember this action appeared suddenly. I thought it had been added automatically by github or it was enabled by a committer.

I do not have a "security" section if I click on the "settings" button : is it possible that this setting is "inherited" from https://github.com/eclipse/ ?

Who can I contact ? Security team ?

Thank you for your help

Laurent

Le sam. 4 mai 2024 à 19:35, Laurent Caron <laurent.caron@xxxxxxxxx> a écrit :

Hi,

You're right I was so upset I forgot to explain the context. Sorry for that.

I've created a dummy PR for this mail : https://github.com/eclipse/nebula/pull/591 and the first action failed :

I tried to add a configuration file in the directory .github/workflow. I copied/paste  https://github.com/eclipse-platform/eclipse.platform/blob/master/.github/workflows/codeql.yml 

And I've now two CodeQL Action, and the first is still present fails :

The logs at https://github.com/eclipse/nebula/actions/runs/8951994449/job/24588916024?pr=591 shows the following error :

[2024-05-04 17:03:48] [autobuild] java.lang.TypeNotPresentException: Type org.eclipse.tycho.pomless.TychoTeslaProjectBuilder not present
...
[2024-05-04 17:03:48] [autobuild] Caused by: java.lang.UnsupportedClassVersionError: org/eclipse/tycho/pomless/TychoTeslaProjectBuilder has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0

If I look above the error message :

Attempting to automatically build java code
  Picked up JAVA_TOOL_OPTIONS:  -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
  /opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/java/tools/autobuild.sh
  Picked up JAVA_TOOL_OPTIONS:  -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
  [2024-05-04 17:03:34] Build directory is .
  [2024-05-04 17:03:34] [autobuild] > mvn clean package -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip -DskipTests -Dmaven.test.skip.exec -Dlicense.skip=true -Drat.skip=true -Dspotless.check.skip=true
  [2024-05-04 17:03:34] [autobuild] Picked up JAVA_TOOL_OPTIONS:  -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
  [2024-05-04 17:03:36] [autobuild] Apache Maven 3.8.8 (4c87b05d9aedce574290d1acc98575ed5eb6cd39)
  [2024-05-04 17:03:36] [autobuild] Maven home: /usr/share/apache-maven-3.8.8
  [2024-05-04 17:03:36] [autobuild] Java version: 11.0.22, vendor: Eclipse Adoptium, runtime: /usr/lib/jvm/temurin-11-jdk-amd64
  [2024-05-04 17:03:36] [autobuild] Default locale: en, platform encoding: UTF-8
  [2024-05-04 17:03:36] [autobuild] OS name: "linux", version: "6.5.0-1018-azure", arch: "amd64", family: "unix"

I've read documentation, trying to find a configuration... and I reached the page https://github.com/eclipse/nebula/security/code-scanning/tools/CodeQL/status/configurations/automatic

If I click on "Default setup" : https://github.com/eclipse/nebula/settings/security_analysis => Error 404.

Then I went to https://github.com/eclipse/nebula/security/code-scanning and added a new action "CodeQL" and thus created a PR : https://github.com/eclipse/nebula/pull/592... same problem !

So who/what is the way to configure/disable this "default" codeQL action ?

Thank you for your help.

Laurent

 

Le sam. 4 mai 2024 à 18:25, Christoph Läubrich via nebula-dev <nebula-dev@xxxxxxxxxxx> a écrit :

Its a bit hard without knowing the "many many approaches" and why they
don't work, but maybe you can get some inspiration from the platform
workflow:

https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/master/.github/workflows/codeQLworkflow.yml

You can even reuse it in you repository if you like as done here:

https://github.com/eclipse-platform/eclipse.platform/blob/master/.github/workflows/codeql.yml

Am 04.05.24 um 16:27 schrieb Laurent Caron via nebula-dev:
> Hi
>
> I've been fighting against CodeQL since we updated the Java Version.
>
> CodeQL wants to use JDK11 :
>
>    2024-05-04T14:22:06.6262550Z [2024-05-04 14:22:06] Build directory is .
> 2024-05-04T14:22:06.7571768Z [2024-05-04 14:22:06] [autobuild] > mvn
> clean package -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip
> -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip
> -DskipTests -Dmaven.test.skip.exec -Dlicense.skip=true -Drat.skip=true
> -Dspotless.check.skip=true
> 2024-05-04T14:22:07.6164942Z [2024-05-04 14:22:07] [autobuild] Picked up
> JAVA_TOOL_OPTIONS:  -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
> 2024-05-04T14:22:11.0884046Z [2024-05-04 14:22:11] [autobuild] Apache
> Maven 3.8.8 (4c87b05d9aedce574290d1acc98575ed5eb6cd39)
> 2024-05-04T14:22:11.0885878Z [2024-05-04 14:22:11] [autobuild] Maven
> home: /usr/share/apache-maven-3.8.8
> *2024-05-04T14:22:11.0887650Z [2024-05-04 14:22:11] [autobuild] Java
> version: 11.0.22, vendor: Eclipse Adoptium, runtime:
> /usr/lib/jvm/temurin-11-jdk-amd64
> *
> I've tried many many approaches, but without success.
>
> I've noticed that this CodeQL is not present for other eclipse projects
> I know. Is this action cancelable ?
>
> Thank you for your help
>
> Laurent
>
>
> _______________________________________________
> nebula-dev mailing list
> nebula-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/nebula-dev
_______________________________________________
nebula-dev mailing list
nebula-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/nebula-dev