Compiling the code (only for Java and C#)

Some Java and C#/.NET scanners, such as CodeQL, FindSecBugs, Security Code Scan etc. need to “instrument” the code (process similar to compilation) before analyzing it. This might be challenging as the source code should be complete and accurate, dependencies should be available offline, or it should be possible to download them either from internal artifactory or from the Internet.

Please consult the developers or your teammates for possible ways of obtaining compileable version of the code as the scanning results may be worth this extra mile.

Here we will look at the case where Maven is used to build Java projects.

This build system, along with Gradle, Ant and a few more are supported by the SAST scanners, such as CodeQL and FindSecurityBugs, which will attempt to download the dependencies from locations, mentioned in pom.xml and compile the code for further analysis.

This works well if the dependency repository is reachable by the scanner and does not require authentication to download modules, for example via the Internet.

If this is not the case, one can download dependencies beforehand and pass the cached modules along with the source code. Manually caching Maven dependencies is possible with the following command, executed from the source code folder:

./mvnw dependency:go-offline

Dependencies will be downloaded by Maven compiler and stored in ~/.m2 folder:

Both folders contain downloaded modules which could be provided to the offline ScanSuite installation. Copy them to the dependency folder of the source code and upload the code ZIP archive via web interface as usual: