I have a repository that has a Java codebase that is built using Gradle. In the Azure DevOps pipeline for this application I am first running the following command to setup the CodeQL build tracing:
codeql database init --source-root Build.Repository.LocalPath --language java, --begin-tracing codeql-db --overwrite --db-cluster
This works successfully with the following output:
Resolving extractor java.
Successfully loaded extractor Java (java) from /apps/ado/tools/codeql/java.
Created skeleton CodeQL database at /apps/ado/vsts/agent2/_work/3335/codeql-db. This in-progress database is ready to be populated by an extractor.
I then set the tracing variables as environment variables.
The code is then built with Gradle.
Then I'm finalizing the database with:
codeql database finalize codeql-db
But the output is:
No source code was seen and extracted to /apps/ado/vsts/agent2/_work/3335/codeql-db.
This can occur if the specified build commands failed to compile or process any code.
- Confirm that there is some source code for the specified language in the project.
- For codebases written in Go, JavaScript, TypeScript, and Python, do not specify
an explicit --command.
- For other languages, the --command must specify a "clean" build which compiles
all the source code files without reusing existing build artefacts.
This same action works perfectly on a Maven build but I can't for the life of me see a reason why this isn't recognizing the compile. Any help is greatly appreciated.
For Gradle, it is most common that a background process is handling the build. Since CodeQL needs to trace the compiler invocations that happen to create its' database, you should disable the gradle daemon:
Checkout the sample from these CodeQL docs: "Specifying build commands".
codeql database create java-database --language=java-kotlin --command='gradle --no-daemon --no-build-cache clean test'