codeql-action
codeql-action copied to clipboard
github
Multiple JAVA_HOME detected and wrong one selected
I set up JDK 17 like this.
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Java
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
And it seems that autobuild selects wrong JDK.
/opt/hostedtoolcache/CodeQL/2.14.1/x64/codeql/java/tools/autobuild.sh
Picked up JAVA_TOOL_OPTIONS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
[2023-08-27 13:07:02] Build directory is .
[2023-08-27 13:07:02] Discovered Java toolchain for version 17.0.0 at /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.8-7/x64 in /home/runner/.m2/toolchains.xml
[2023-08-27 13:07:02] Discovered Java toolchain for version 17.0.0 at /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.8-7/x64 in JAVA_HOME_17_X64
[2023-08-27 13:07:02] Discovered Java toolchain for version 8.0.0 at /usr/lib/jvm/temurin-8-jdk-amd64 in JAVA_HOME_8_X64
[2023-08-27 13:07:02] Discovered Java toolchain for version 11.0.0 at /usr/lib/jvm/temurin-11-jdk-amd64 in JAVA_HOME_11_X64
[2023-08-27 13:07:02] Setting Java version to 8.0.0 (GHA) <<<<<<<<<<<<<<<<<<<<<<<<<<<<
[2023-08-27 13:07:02] Setting JAVA_HOME to /usr/lib/jvm/temurin-8-jdk-amd64 <<<<<<<<<<<<<<<<<
[2023-08-27 13:07:02] Adding /usr/lib/jvm/temurin-8-jdk-amd64/bin to PATH
[2023-08-27 13:07:02] [autobuild] > mvn -N io.takari:maven:wrapper
And this is my enforcer rules evaluates.
>mvn validate
[INFO] Scanning for projects...
[INFO]
[INFO] --------< ... >--------
[INFO] Building ...-SNAPSHOT
[INFO] from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- enforcer:3.4.0:enforce (enforce-dependency-convergence) @ ... ---
[INFO] Skipping Rule Enforcement.
[INFO]
[INFO] --- enforcer:3.4.0:enforce (enforce-require-java-version-to-[17,)) @ ... ---
[INFO] Detected Java Version: '20.0.2'
[INFO] Normalized Java Version: '20.0.2'
[INFO] Rule 0: org.apache.maven.enforcer.rules.version.RequireJavaVersion passed
[INFO]
[INFO] --- enforcer:3.4.0:enforce (enforce-require-maven-version-to-[3.2.5,)) @ ... ---
[INFO] Rule 0: org.apache.maven.enforcer.rules.version.RequireMavenVersion passed
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.319 s
[INFO] Finished at: 2023-08-27T22:23:15+09:00
[INFO] ------------------------------------------------------------------------
Is your repository using codeql? If so, can you include your full (redacted) workflow file? If it isn't using codeql, then this is not the correct repo to raise the issue. actions/setup-java is the right place.
I just learned that we have recently made some changes to CodeQL's ability to discover which versions of Java are installed in the build environment. Please see the details in this issue and it may help with what you are seeing.
https://github.com/github/codeql/issues/13541
Hi @onacit! The issue that @aeisenberg linked to is likely what you are running into, but we have made some further improvements to the version selection logic since. I note that you are currently using CodeQL 2.14.1. CodeQL 2.14.3 contains the improvements, so if you can give that version a go and report back whether that works for you, that would be great!
I think this is still happening: https://github.com/maevsi/android/actions/runs/6648225427/job/18064934351#step:4:78 I'd expect v17 to be chosen as Gradle 8.4 should certainly support it, shouldn't it? :thinking:
This continues to be an issue. I just turned on the recommended default security configuration for the ankidroid organization, and in our Anki-Android project we get this non-sensical output where the gradle compatibility graph is not represented correctly in the codeql jdk selection logic:
[2024-04-21 16:43:01] Found no Java toolchains in a toolchains file, inspecting environment variables...
[2024-04-21 16:43:01] Discovered Java toolchain for version 11.0.0 at /usr/lib/jvm/temurin-11-jdk-amd64 in JAVA_HOME_11_X64
[2024-04-21 16:43:01] Discovered Java toolchain for version 8.0.0 at /usr/lib/jvm/temurin-8-jdk-amd64 in JAVA_HOME_8_X64
[2024-04-21 16:43:01] Discovered Java toolchain for version 17.0.0 at /usr/lib/jvm/temurin-17-jdk-amd64 in JAVA_HOME_17_X64
[2024-04-21 16:43:01] Discovered Java toolchain for version 21.0.0 at /usr/lib/jvm/temurin-21-jdk-amd64 in JAVA_HOME_21_X64
[2024-04-21 16:43:01] Found no Java toolchains in a toolchains file, inspecting environment variables...
[2024-04-21 16:43:01] Discovered Java toolchain for version 11.0.0 at /usr/lib/jvm/temurin-11-jdk-amd64 in JAVA_HOME_11_X64
[2024-04-21 16:43:01] Discovered Java toolchain for version 8.0.0 at /usr/lib/jvm/temurin-8-jdk-amd64 in JAVA_HOME_8_X64
[2024-04-21 16:43:01] Discovered Java toolchain for version 17.0.0 at /usr/lib/jvm/temurin-17-jdk-amd64 in JAVA_HOME_17_X64
[2024-04-21 16:43:01] Discovered Java toolchain for version 21.0.0 at /usr/lib/jvm/temurin-21-jdk-amd64 in JAVA_HOME_21_X64
[2024-04-21 16:43:01] Identified 11.0.22 as the newest version of Java supported by the version of Gradle in use. The system default of 11.0.22 is compatible with this.
[2024-04-21 16:43:01] [autobuild] > ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off -Dorg.gradle.warning.mode=none --init-script "/tmp/semmleTempDir/init.gradle" clean
[2024-04-21 16:43:01] [autobuild] Picked up JAVA_TOOL_OPTIONS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
[2024-04-21 16:43:01] [autobuild] Downloading https://services.gradle.org/distributions/gradle-8.7-bin.zip
Gradle 8.7 supports up to JDK21, not 11 as the newest. So I would expect JDK21, which would then work with autobuild
https://docs.gradle.org/current/userguide/compatibility.html#java
Is there some plan on fixing this ever? Otherwise I have to switch from the super-simple no-maintenance default configuration to the advanced build which means I have another github workflow yaml file to maintain, which is an anti-goal
Hi @mikehardy,
Sorry this isn't working right for you and agreed the output is a bit nonsensical here. The version selection logic contains hard-coded information about which Java version is required for a given Gradle version. This hasn't been updated since before Gradle 8.7 came out and therefore doesn't know what to recommend for it, leading the existing heuristics to a conservative and incorrect result.
One of my colleagues is actively working on improving this at the moment, so everyone affected by this should see improvements once those improvements have shipped. They probably won't land in the next CodeQL release that's targeted for next week, but it shouldn't be far out.
@mbg I see a pre-release for 2.17.3 (the version after the one you mentioned was too soon to get a fix) but I don't see anything in there, just curious if this is still under dev or not. Thanks!
We just merged the changes late yesterday, so we missed the 2.17.3 release for this by a few days. I'll need to check if they'll make their way into the next release after this and will get back to you with which version I'd expect it to land in.
Oh that's great. I was still trying to decide whether to expand the yaml in our repo for a manual build or to wait, sounds like it's well worth it to wait a bit more so autobuild just works, and I do love deferring/avoiding work when possible ;-). Thanks for the response
Hi. Has this been fixed? I've got this while building with 2.17.4:
[2024-06-10 19:54:01] Found no Java toolchains in a toolchains file, inspecting environment variables...
[2024-06-10 19:54:01] Discovered Java toolchain for version 11.0.0 at /usr/lib/jvm/temurin-11-jdk-amd64 in JAVA_HOME_11_X64
[2024-06-10 19:54:01] Discovered Java toolchain for version 8.0.0 at /usr/lib/jvm/temurin-8-jdk-amd64 in JAVA_HOME_8_X64
[2024-06-10 19:54:01] Discovered Java toolchain for version 17.0.0 at /usr/lib/jvm/temurin-17-jdk-amd64 in JAVA_HOME_17_X64
[2024-06-10 19:54:01] Discovered Java toolchain for version 21.0.0 at /usr/lib/jvm/temurin-21-jdk-amd64 in JAVA_HOME_21_X64
[2024-06-10 19:54:01] Found no Java toolchains in a toolchains file, inspecting environment variables...
[2024-06-10 19:54:01] Discovered Java toolchain for version 11.0.0 at /usr/lib/jvm/temurin-11-jdk-amd64 in JAVA_HOME_11_X64
[2024-06-10 19:54:01] Discovered Java toolchain for version 8.0.0 at /usr/lib/jvm/temurin-8-jdk-amd64 in JAVA_HOME_8_X64
[2024-06-10 19:54:01] Discovered Java toolchain for version 17.0.0 at /usr/lib/jvm/temurin-17-jdk-amd64 in JAVA_HOME_17_X64
[2024-06-10 19:54:01] Discovered Java toolchain for version 21.0.0 at /usr/lib/jvm/temurin-21-jdk-amd64 in JAVA_HOME_21_X64
[2024-06-10 19:54:01] Identified 21.0.0 as the newest version of Java supported by the version of Gradle in use. The system default of 11.0.23 is compatible with this.
I don't get why it's indentifying the JVM as 21.0.0, but saying that 11.0.23 is compatible and should be used. My build then fails because I have a dependency that requires Java 17. I don't know how to make auto build pick the JVM v21.
@citizenmatt that's identifying that the Gradle version you're using supports up to Java 21, and therefore there is no conflict with the default Java 11 installation. We don't seem to find any positive signal that your project needs at least Java 17. Can you link to the affected project, or if it isn't public can you say what features of its build scripts we might reasonably pick up on to show that Java 17 is necessary?
Thanks @smowton. It's this specific branch/PR: https://github.com/JetBrains/ideavim/pull/879. It's migrating to some new gradle dependencies, one of which requires Java 17.
Got it; we would do the right thing except we don't spot your use of the by project delegate to read your Java version from the gradle.properties file. If you were to add
// Hint for the CodeQL autobuilder: sourceCompatibility = 17
I think that should fool it sufficiently!
🎉
[2024-06-11 15:48:53] Found no Java toolchains in a toolchains file, inspecting environment variables...
[2024-06-11 15:48:53] Discovered Java toolchain for version 11.0.0 at /usr/lib/jvm/temurin-11-jdk-amd64 in JAVA_HOME_11_X64
[2024-06-11 15:48:53] Discovered Java toolchain for version 8.0.0 at /usr/lib/jvm/temurin-8-jdk-amd64 in JAVA_HOME_8_X64
[2024-06-11 15:48:53] Discovered Java toolchain for version 17.0.0 at /usr/lib/jvm/temurin-17-jdk-amd64 in JAVA_HOME_17_X64
[2024-06-11 15:48:53] Discovered Java toolchain for version 21.0.0 at /usr/lib/jvm/temurin-21-jdk-amd64 in JAVA_HOME_21_X64
[2024-06-11 15:48:53] Found no Java toolchains in a toolchains file, inspecting environment variables...
[2024-06-11 15:48:53] Discovered Java toolchain for version 11.0.0 at /usr/lib/jvm/temurin-11-jdk-amd64 in JAVA_HOME_11_X64
[2024-06-11 15:48:53] Discovered Java toolchain for version 8.0.0 at /usr/lib/jvm/temurin-8-jdk-amd64 in JAVA_HOME_8_X64
[2024-06-11 15:48:53] Discovered Java toolchain for version 17.0.0 at /usr/lib/jvm/temurin-17-jdk-amd64 in JAVA_HOME_17_X64
[2024-06-11 15:48:53] Discovered Java toolchain for version 21.0.0 at /usr/lib/jvm/temurin-21-jdk-amd64 in JAVA_HOME_21_X64
[2024-06-11 15:48:53] Gradle's sourceCompatibility setting recommends Java version 17.0.0.
[2024-06-11 15:48:53] The suggested lower bound Java version is 17.0.0.
[2024-06-11 15:48:53] Identified 21.0.0 as the newest version of Java supported by the version of Gradle in use, using this as the upper version bound for Java.
[2024-06-11 15:48:53] Setting Java version to 17.0.0 (GHA)
Fantastic, that's got it working. Thanks for the help!
(I'll pick as a medium-term issue noticing versions read from gradle.properties)