Skip to content

fix(java): remove duplicate codeql-java-extensions dependency causing fatal analysis crash#155

Open
felickz wants to merge 1 commit into
jcogs33/update-to-v0.2.2from
felickz-fix-java-duplicate-extensions-pack
Open

fix(java): remove duplicate codeql-java-extensions dependency causing fatal analysis crash#155
felickz wants to merge 1 commit into
jcogs33/update-to-v0.2.2from
felickz-fix-java-duplicate-extensions-pack

Conversation

@felickz

@felickz felickz commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Stacked on #126. This PR is based on jcogs33/update-to-v0.2.2 (PR #126), which does a blanket repo-wide version bump including java/lib/qlpack.yml0.2.2. Since that version will already be published (with this bug still present) once #126 lands, this PR bumps java/lib to 0.2.3 instead, so the fix actually triggers a republish. Once #126 merges to main, this PR's base should be updated to main (the diff will be unchanged — just the removed dependency line and the version bump to 0.2.3).

Bug

Any Java scan using one of this repo's published configs (configs/default.yml, configs/synthetics.yml, configs/audit.yml) fails with a fatal CodeQL error:

com.semmle.util.exception.CatastrophicError: Encountered two packs with the same name 'Optional[githubsecuritylab/codeql-java-extensions]' used in a single evaluation.

Confirmed against a real, 100%-reproducible failing GitHub Actions run using configs/synthetics.yml verbatim from this repo: dsp-testing/SecurityShepherd run 28809261039, job 85432641504. The crash happens during the java-kotlin analyze step, right after "Resolving data extensions".

Root cause

java/lib/qlpack.yml hard-pinned githubsecuritylab/codeql-java-extensions: '0.2.1' as a dependency. All three published configs also list githubsecuritylab/codeql-java-extensions directly in their packs: list (to load its MaD data extension models). This means the same pack gets resolved twice in a single evaluation:

  • transitively: codeql-java-queriescodeql-java-libscodeql-java-extensions
  • directly: from the config's packs: list

The CodeQL CLI can't reconcile the two resolved instances of the same named pack and fatally errors.

Why only Java is affected: csharp/lib/qlpack.yml only depends on codeql/csharp-allcodeql-csharp-extensions is not baked into csharp-libs, it's purely opt-in via config, same as every other language. Java is the only lib pack that hard-pinned its extensions pack as a dependency (added in #8f4ee8a, "feat: add utility predicates and classes for Java library").

Nothing in java/lib actually needs codeql-java-extensions at QL-compile time: java/lib/ghsl/Utils.qll only imports standard semmle.code.java.* library modules. The extensions pack is a pure MaD data pack (see java/ext/qlpack.yml) with no QL code to import — the dependency existed only to bundle/pull in the pack, which is redundant since every shipped config already lists it explicitly.

Fix

  • Remove the githubsecuritylab/codeql-java-extensions: '0.2.1' line from java/lib/qlpack.yml's dependencies:, bringing Java in line with C# (and every other language) where the extensions pack is purely opt-in via config.
  • Bump java/lib version to 0.2.3 (see stacking note above re: why not 0.2.2) so the fix gets published (.github/workflows/publish.yml compares each pack's qlpack.yml version against what's already published on GHCR, independently per pack).

No other qlpack.yml under java/ needs changes:

  • java/src/qlpack.yml depends on githubsecuritylab/codeql-java-libs: '*', unaffected.
  • java/test/qlpack.yml intentionally keeps its own direct githubsecuritylab/codeql-java-extensions: '*' dependency (for testing the extension models directly) — untouched.
  • java/ext/qlpack.yml (the extensions pack itself) is unchanged.

Lock files (codeql-pack.lock.yml) don't need updating — they only record resolved published-registry packs (e.g. codeql/java-all); local in-workspace packs like codeql-java-libs/codeql-java-extensions are resolved via codeql-workspace.yml and never appeared in the lock files, so removing this dependency doesn't change lock content.

Verification

Local sandbox only had CodeQL CLI 2.25.6 available, not the repo's pinned 2.21.1 (.codeqlversion), so local results can't perfectly reproduce or validate against the exact pinned toolchain:

  • Compiled representative Java queries (including ones importing java/lib/ghsl.qll) with codeql query compile — succeeds cleanly after the fix, no dependency/syntax errors.
  • Ran a subset of the Java test suite (codeql test run) — passing.
  • Attempted to locally reproduce the exact duplicate-pack crash using local workspace pack resolution (--additional-packs); this didn't reproduce because local resolution dedupes identical filesystem paths, whereas the production failure occurs when the registry resolves the same named pack into two distinct locations (once as a transitive dependency, once as a directly-requested config pack).

This repo's CI (.github/workflows/ci.yml) installs the actual pinned 2.21.1 CLI and runs the real Java analyze/compile/test jobs — that run is the authoritative validation of this fix, since it uses the correct pinned toolchain rather than the newer, mismatched local CLI.

Copilot AI review requested due to automatic review settings July 6, 2026 18:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a fatal CodeQL Java analysis crash caused by resolving githubsecuritylab/codeql-java-extensions twice (once transitively via java/lib and once directly via published configs), by removing the redundant hard dependency from the Java libs pack and bumping its version so the fix publishes.

Changes:

  • Remove githubsecuritylab/codeql-java-extensions from java/lib/qlpack.yml dependencies to avoid duplicate-pack resolution.
  • Bump githubsecuritylab/codeql-java-libs version from 0.2.1 to 0.2.2 for publishing.
Show a summary per file
File Description
java/lib/qlpack.yml Removes the redundant extensions dependency and bumps the pack version to publish the fix.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

…va/lib

java/lib/qlpack.yml hard-pinned githubsecuritylab/codeql-java-extensions
as a dependency. All three published configs (configs/default.yml,
configs/synthetics.yml, configs/audit.yml) also list
githubsecuritylab/codeql-java-extensions directly in their packs: list
(to load its MaD data extension models). This causes the same pack to
be resolved twice in a single evaluation - once transitively via
codeql-java-queries -> codeql-java-libs -> codeql-java-extensions, and
once directly from the config's packs: list - which the CodeQL CLI
cannot reconcile:

  com.semmle.util.exception.CatastrophicError: Encountered two packs
  with the same name 'Optional[githubsecuritylab/codeql-java-extensions]'
  used in a single evaluation.

This was confirmed against a real failing GitHub Actions run using
configs/synthetics.yml verbatim from this repo:
https://github.com/dsp-testing/SecurityShepherd/actions/runs/28809261039/job/85432641504

C# is unaffected: csharp/lib/qlpack.yml only depends on
codeql/csharp-all - codeql-csharp-extensions is not baked in as a lib
dependency, it's purely opt-in via config. Java was the only language
where the lib pack hard-pinned the extensions pack (added in commit
8f4ee8a), which collides with our own configs.

Nothing in java/lib actually needs codeql-java-extensions at QL-compile
time - java/lib/ghsl/Utils.qll only imports standard
semmle.code.java.* modules. The extensions pack is a pure MaD data pack
(see java/ext/qlpack.yml) with no QL code to import, so the dependency
existed only to bundle/pull in the pack - which is redundant since
every shipped config already lists it explicitly.

This branch is stacked on #126 (jcogs33/update-to-v0.2.2), which bumps
java/lib to 0.2.2 as part of a blanket repo-wide version bump. Since
0.2.2 will already be published (with this bug still present) once
#126 lands, bump java/lib to 0.2.3 here instead so this fix actually
triggers a republish.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@felickz felickz force-pushed the felickz-fix-java-duplicate-extensions-pack branch from b009584 to 362fe7d Compare July 6, 2026 18:09
@felickz felickz changed the base branch from main to jcogs33/update-to-v0.2.2 July 6, 2026 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants