fix(java): remove duplicate codeql-java-extensions dependency causing fatal analysis crash#155
Open
felickz wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a fatal CodeQL Java analysis crash caused by resolving githubsecuritylab/codeql-java-extensions twice (once transitively via java/lib and once directly via published configs), by removing the redundant hard dependency from the Java libs pack and bumping its version so the fix publishes.
Changes:
- Remove
githubsecuritylab/codeql-java-extensionsfromjava/lib/qlpack.ymldependencies to avoid duplicate-pack resolution. - Bump
githubsecuritylab/codeql-java-libsversion from0.2.1to0.2.2for publishing.
Show a summary per file
| File | Description |
|---|---|
java/lib/qlpack.yml |
Removes the redundant extensions dependency and bumps the pack version to publish the fix. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 0
- Review effort level: Low
…va/lib java/lib/qlpack.yml hard-pinned githubsecuritylab/codeql-java-extensions as a dependency. All three published configs (configs/default.yml, configs/synthetics.yml, configs/audit.yml) also list githubsecuritylab/codeql-java-extensions directly in their packs: list (to load its MaD data extension models). This causes the same pack to be resolved twice in a single evaluation - once transitively via codeql-java-queries -> codeql-java-libs -> codeql-java-extensions, and once directly from the config's packs: list - which the CodeQL CLI cannot reconcile: com.semmle.util.exception.CatastrophicError: Encountered two packs with the same name 'Optional[githubsecuritylab/codeql-java-extensions]' used in a single evaluation. This was confirmed against a real failing GitHub Actions run using configs/synthetics.yml verbatim from this repo: https://github.com/dsp-testing/SecurityShepherd/actions/runs/28809261039/job/85432641504 C# is unaffected: csharp/lib/qlpack.yml only depends on codeql/csharp-all - codeql-csharp-extensions is not baked in as a lib dependency, it's purely opt-in via config. Java was the only language where the lib pack hard-pinned the extensions pack (added in commit 8f4ee8a), which collides with our own configs. Nothing in java/lib actually needs codeql-java-extensions at QL-compile time - java/lib/ghsl/Utils.qll only imports standard semmle.code.java.* modules. The extensions pack is a pure MaD data pack (see java/ext/qlpack.yml) with no QL code to import, so the dependency existed only to bundle/pull in the pack - which is redundant since every shipped config already lists it explicitly. This branch is stacked on #126 (jcogs33/update-to-v0.2.2), which bumps java/lib to 0.2.2 as part of a blanket repo-wide version bump. Since 0.2.2 will already be published (with this bug still present) once #126 lands, bump java/lib to 0.2.3 here instead so this fix actually triggers a republish. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
b009584 to
362fe7d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
Any Java scan using one of this repo's published configs (
configs/default.yml,configs/synthetics.yml,configs/audit.yml) fails with a fatal CodeQL error:Confirmed against a real, 100%-reproducible failing GitHub Actions run using
configs/synthetics.ymlverbatim from this repo: dsp-testing/SecurityShepherd run 28809261039, job 85432641504. The crash happens during the java-kotlinanalyzestep, right after "Resolving data extensions".Root cause
java/lib/qlpack.ymlhard-pinnedgithubsecuritylab/codeql-java-extensions: '0.2.1'as a dependency. All three published configs also listgithubsecuritylab/codeql-java-extensionsdirectly in theirpacks:list (to load its MaD data extension models). This means the same pack gets resolved twice in a single evaluation:codeql-java-queries→codeql-java-libs→codeql-java-extensionspacks:listThe CodeQL CLI can't reconcile the two resolved instances of the same named pack and fatally errors.
Why only Java is affected:
csharp/lib/qlpack.ymlonly depends oncodeql/csharp-all—codeql-csharp-extensionsis not baked intocsharp-libs, it's purely opt-in via config, same as every other language. Java is the only lib pack that hard-pinned its extensions pack as a dependency (added in #8f4ee8a, "feat: add utility predicates and classes for Java library").Nothing in
java/libactually needscodeql-java-extensionsat QL-compile time:java/lib/ghsl/Utils.qllonly imports standardsemmle.code.java.*library modules. The extensions pack is a pure MaD data pack (seejava/ext/qlpack.yml) with no QL code to import — the dependency existed only to bundle/pull in the pack, which is redundant since every shipped config already lists it explicitly.Fix
githubsecuritylab/codeql-java-extensions: '0.2.1'line fromjava/lib/qlpack.yml'sdependencies:, bringing Java in line with C# (and every other language) where the extensions pack is purely opt-in via config.java/libversion to0.2.3(see stacking note above re: why not0.2.2) so the fix gets published (.github/workflows/publish.ymlcompares each pack'sqlpack.ymlversion against what's already published on GHCR, independently per pack).No other
qlpack.ymlunderjava/needs changes:java/src/qlpack.ymldepends ongithubsecuritylab/codeql-java-libs: '*', unaffected.java/test/qlpack.ymlintentionally keeps its own directgithubsecuritylab/codeql-java-extensions: '*'dependency (for testing the extension models directly) — untouched.java/ext/qlpack.yml(the extensions pack itself) is unchanged.Lock files (
codeql-pack.lock.yml) don't need updating — they only record resolved published-registry packs (e.g.codeql/java-all); local in-workspace packs likecodeql-java-libs/codeql-java-extensionsare resolved viacodeql-workspace.ymland never appeared in the lock files, so removing this dependency doesn't change lock content.Verification
Local sandbox only had CodeQL CLI 2.25.6 available, not the repo's pinned 2.21.1 (
.codeqlversion), so local results can't perfectly reproduce or validate against the exact pinned toolchain:java/lib/ghsl.qll) withcodeql query compile— succeeds cleanly after the fix, no dependency/syntax errors.codeql test run) — passing.--additional-packs); this didn't reproduce because local resolution dedupes identical filesystem paths, whereas the production failure occurs when the registry resolves the same named pack into two distinct locations (once as a transitive dependency, once as a directly-requested config pack).This repo's CI (
.github/workflows/ci.yml) installs the actual pinned 2.21.1 CLI and runs the real Java analyze/compile/test jobs — that run is the authoritative validation of this fix, since it uses the correct pinned toolchain rather than the newer, mismatched local CLI.