diff --git a/Dockerfile b/Dockerfile index 36ca7c7..7d8b679 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,6 @@ RUN apt-get update && \ file \ dos2unix \ default-jdk \ - openjdk-8-jdk \ maven \ gettext && \ apt-get clean && \ diff --git a/Dockerfile-java b/Dockerfile-java new file mode 100644 index 0000000..6a3918b --- /dev/null +++ b/Dockerfile-java @@ -0,0 +1,12 @@ +# FROM --platform=amd64 maven:3.8-openjdk-17-slim +FROM --platform=amd64 maven:3-jdk-8-slim + +RUN ls -lia $JAVA_HOME + +RUN mkdir -p /opt/jdk/ /opt/maven/ + +RUN cp -r $JAVA_HOME/* /opt/jdk/ + +RUN cp -r $MAVEN_HOME/* /opt/maven/ + +CMD ["echo"] \ No newline at end of file diff --git a/README.md b/README.md index f687532..ded0382 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,6 @@ You can set environment variables to use the following supported options: `SAVE_CACHE_FLAG` | Value `--save-cache`. Aggressively save intermediate results to the disk cache. This may speed up subsequent queries if they are similar. Be aware that using this option will greatly increase disk usage and initial evaluation time. `ACTION` | Value `create-database-only`. Creating CodeQL database only without executing CodeQL analysis. `COMMAND` | Value ``. The variable used when you create a CodeQL database for one or more compiled languages, omit if the only languages requested are Python and JavaScript. This specifies the build commands needed to invoke the compiler. If you don't set this variable, CodeQL will attempt to detect the build system automatically, using a built-in autobuilder. -`JAVA_VERSION` | Value ``. Set the Java version. The default Java version is Java 11. It must be `8` or `11`. ----- ***Disclaimer:** CodeQL Agent directly forwards these options to the command arguments while running the container. Please take it as your security responsibility.* @@ -128,16 +127,39 @@ docker run --rm --name codeql-agent-docker \
Specify the Java version and the build database command -```bash -docker run --rm --name codeql-agent-docker \ - -v "$PWD:/opt/src" \ - -v "$PWD/codeql-agent-results:/opt/results" \ - -e "LANGUAGE=java" \ - -e "JAVA_VERSION=8" \ - -e "COMMAND=mvn clean install" \ - doublevkay/codeql-agent +By default, we use JDK 11 and Maven 3.6.3 for the CodeQL agent image. We can change the versions of Java and Maven by mounting a volume and setting the JAVA_HOME and MAVEN_HOME environment variables in the CodeQL agent container. For example: -``` +1. Create a Dockerfile (named Dockerfile-java) for the specific versions of Java and Maven, and place it in the directory that will be used for mounting later: + ```Dockerfile + FROM --platform=amd64 maven:3-jdk-8-slim + + RUN mkdir -p /opt/jdk/ /opt/maven/ + + RUN cp -r $JAVA_HOME/* /opt/jdk/ + + RUN cp -r $MAVEN_HOME/* /opt/maven/ + + CMD ["echo"] + ``` +2. Build and run the Docker container, mounting the JDK and Maven directories to the respective volumes: + ```bash + docker buildx build -t codeql-java -f Dockerfile-java . + docker run --rm -v "jdkvol:/opt/jdk" -v "mavenvol:/opt/maven" codeql-java + ``` +3. Finally, run codeql-agent container with mounted volumes and set env variable JAVA_HOME, MAVEN_HOME to the mounted volumes + + ```bash + docker run --rm --name codeql-agent-docker \ + -v "$PWD:/opt/src" \ + -v "$PWD/codeql-agent-results:/opt/results" \ + -v "jdkvol:/opt/jdk" \ + -v "mavenvol:/opt/maven" \ + -e "LANGUAGE=java" \ + -e "JAVA_HOME=/opt/jdk" \ + -e "MAVEN_HOME=/opt/maven" \ + -e "COMMAND=mvn clean install" \ + doublevkay/codeql-agent + ```
## Build diff --git a/scripts/analyze.sh b/scripts/analyze.sh index 29fd5f1..ac85605 100755 --- a/scripts/analyze.sh +++ b/scripts/analyze.sh @@ -12,6 +12,32 @@ print_red() { # Set SRC SRC=/opt/src +# Check if JAVA_HOME is set and not empty +if [ -n "$JAVA_HOME" ]; then + echo "JAVA_HOME is set to $JAVA_HOME" + # Check and add JAVA_HOME/jre/bin to PATH if it exists + if [ -d "$JAVA_HOME/jre/bin" ]; then + export PATH="$JAVA_HOME/jre/bin:$PATH" + fi + # Check and add JAVA_HOME/bin to PATH if it exists + if [ -d "$JAVA_HOME/bin" ]; then + export PATH="$JAVA_HOME/bin:$PATH" + fi +else + echo "JAVA_HOME is not set or empty. Use default." +fi + +# Check if MAVEN_HOME is set and not empty +if [ -n "$MAVEN_HOME" ]; then + echo "MAVEN_HOME is set to $MAVEN_HOME" + # Check and add MAVEN_HOME/bin to PATH if it exists + if [ -d "$MAVEN_HOME/bin" ]; then + export PATH="$MAVEN_HOME/bin:$PATH" + fi +else + echo "MAVEN_HOME is not set or empty. Use default." +fi + if [[ -z "${CI_PROJECT_DIR}" ]]; then SRC=/opt/src else @@ -29,71 +55,60 @@ if [ ! -d "$SRC" ]; then exit 3 fi -if [ -z $LANGUAGE ] -then - if [ ! -z $CI_PROJECT_REPOSITORY_LANGUAGES ] - then - ListLanguages=(${CI_PROJECT_REPOSITORY_LANGUAGES//,/ }) - else - chown -R $(id -u):$(id -g) $SRC - mapfile -t ListLanguages <<< $(github-linguist $SRC) - fi - for val in "${ListLanguages[@]}"; do - lang="$(echo $val | rev | cut -d' ' -f 1 | rev)" - lang=${lang,,} - if [[ "${SupportedLanguage[*]}" =~ "${lang}" ]]; then - LANGUAGE=$lang - break - fi - done - if [[ $LANGUAGE == "" ]]; then - print_red "[!] Can not auto detect language. Please check the source code or specify the LANGUAGE variable." - finalize - exit 4 +if [ -z $LANGUAGE ]; then + if [ ! -z $CI_PROJECT_REPOSITORY_LANGUAGES ]; then + ListLanguages=(${CI_PROJECT_REPOSITORY_LANGUAGES//,/ }) + else + chown -R $(id -u):$(id -g) $SRC + mapfile -t ListLanguages <<<$(github-linguist $SRC) + fi + for val in "${ListLanguages[@]}"; do + lang="$(echo $val | rev | cut -d' ' -f 1 | rev)" + lang=${lang,,} + if [[ "${SupportedLanguage[*]}" =~ "${lang}" ]]; then + LANGUAGE=$lang + break fi + done + if [[ $LANGUAGE == "" ]]; then + print_red "[!] Can not auto detect language. Please check the source code or specify the LANGUAGE variable." + finalize + exit 4 + fi fi # Set options LANGUAGE=${LANGUAGE,,} -if [[ "$LANGUAGE" == "python" || "$LANGUAGE" == "javascript" || "$LANGUAGE" == "cpp" || "$LANGUAGE" == "csharp" || "$LANGUAGE" == "java" || "$LANGUAGE" == "go" || "$LANGUAGE" == "typescript" || "$LANGUAGE" == "c" ]] -then - if [[ "$LANGUAGE" == "typescript" ]] - then +if [[ "$LANGUAGE" == "python" || "$LANGUAGE" == "javascript" || "$LANGUAGE" == "cpp" || "$LANGUAGE" == "csharp" || "$LANGUAGE" == "java" || "$LANGUAGE" == "go" || "$LANGUAGE" == "typescript" || "$LANGUAGE" == "c" ]]; then + if [[ "$LANGUAGE" == "typescript" ]]; then LANGUAGE="javascript" fi - if [[ "$LANGUAGE" == "c" ]] - then + if [[ "$LANGUAGE" == "c" ]]; then LANGUAGE="cpp" fi else - echo "[!] Invalid language: $LANGUAGE" - finalize - exit 5 + echo "[!] Invalid language: $LANGUAGE" + finalize + exit 5 fi -if [ -z $FORMAT ] -then +if [ -z $FORMAT ]; then FORMAT="sarif-latest" fi -if [ -z $QS ] -then +if [ -z $QS ]; then QS="$LANGUAGE-security-extended.qls" fi -if [ -z $OUTPUT ] -then +if [ -z $OUTPUT ]; then OUTPUT="/opt/results" fi -if [ -z $THREADS ] -then +if [ -z $THREADS ]; then THREADS="0" fi - - DB="$OUTPUT/codeql-db" # Set THREADS @@ -108,28 +123,14 @@ print_green " [+] Output: $OUTPUT" print_green " [+] Format: $FORMAT" echo "----------------" -# Switch to Java 8 -if [[ $JAVA_VERSION ]] -then - if [[ $JAVA_VERSION == "8" ]]; then - update-java-alternatives -s $(update-java-alternatives -l | grep 8 | cut -d " " -f1) || echo '.' - elif [[ $JAVA_VERSION == "11" ]]; then - update-java-alternatives -s $(update-java-alternatives -l | grep 11 | cut -d " " -f1) || echo '.' - else - echo "[Warning] : JAVA_VERSION must be 8 or 11." - fi -fi - # Check action -if [ -z $ACTION ] -then +if [ -z $ACTION ]; then ACTION='all' fi # Functions create_database() { - if [[ $COMMAND ]] - then + if [[ $COMMAND ]]; then print_green "[Running] Creating DB: codeql database create --threads=$THREADS --language=$LANGUAGE --command=\"$COMMAND\" $DB -s $SRC $OVERWRITE_FLAG" codeql database create --threads=$THREADS --language=$LANGUAGE --command="$COMMAND" $DB -s $SRC $OVERWRITE_FLAG else @@ -145,7 +146,7 @@ create_database() { scan() { print_green "[Running] Start Scanning: codeql database analyze --format=$FORMAT --threads=$THREADS $SAVE_CACHE_FLAG --output=$OUTPUT/issues.$FORMAT $DB $QS" - codeql database analyze --format=$FORMAT --threads=$THREADS $SAVE_CACHE_FLAG --output=$OUTPUT/issues.$FORMAT $DB $QS + codeql database analyze --off-heap-ram=0 --format=$FORMAT --threads=$THREADS $SAVE_CACHE_FLAG --output=$OUTPUT/issues.$FORMAT $DB $QS if [ $? -ne 0 ]; then print_red "[!] CodeQL analyze failed." finalize @@ -163,8 +164,7 @@ convert_sarif_to_sast() { } finalize() { - if [[ $USERID && $GROUPID ]] - then + if [[ $USERID && $GROUPID ]]; then chown -R $USERID:$GROUPID $OUTPUT chown -R $USERID:$GROUPID $SRC fi @@ -184,4 +184,3 @@ main() { # Main main -