github
No codeql for linux ARM64
We have developers trying to run codeql in a container from their macs. The container is important to testing, and we don't want to run codeql outside of it. Codeql for linux currently only built for AMD64.
There is emulation using --platform=linux/amd64, but that is prone to sever performance degradation.
We have noticed some OS specific logic in the codeql script that falsely correlates architecture to operating system. I wonder if that is the only logic standing in our way from using the osx ARM64 version in a linux container? Ideally, the script would consider architecture separately from operating system.
I'm afraid there is more to be done than that to support linux/arm64. We haven't been prioritising it because the scenario is still niche -- however I'll mention to the team that Docker-on-arm64-Mac is a potentially interesting use-case. For now the official solution is to run x86-64 images on Docker via Rosetta.
Are you tracing the compilation process in a container? If so, you're probably out of luck, since there are native binaries that are only compiled for AMD64. You might be able to work around this by (transparently) using qemu-user via binfmt_misc.
If you just want to run the database evaluation engine in a container, you might be able to do that with some hacking: take the AMD64 distribution, replace the jdk with an arm64 version and it might potentially work.
See also: https://github.com/github/codeql/issues/16692 https://github.com/github/codeql-cli-binaries/issues/97
I'm afraid there is more to be done than that to support linux/arm64. We haven't been prioritising it because the scenario is still niche -- however I'll mention to the team that Docker-on-arm64-Mac is a potentially interesting use-case. For now the official solution is to run x86-64 images on Docker via Rosetta.
respectfully, not sure how niche this is. I can give a use case, we have 100s of projects that currently have CodeQL running on AMD64 runners in Github Actions due to the lack of ARM64 support. This is not an ideal situation, as it requires maintaining two architectures when our Linux runtime is already using ARM64 for the most part.
I'm also unable to provide a proper way for my developer colleagues to run CodeQL locally because a lot of them are using ARM64 Mac machines, and the setup is too complex to scale up.
Hopefully this helps give traction to the issue. This message is made in my personal name and does not necessarily reflect the opinion of my current employer.
@cw-alexcroteau thanks for chiming in on my ticket. Hopefully this will escalate the importance. Special-casing based on architecture is far from ideal and not scalable.
I should note to GitHub employees that I work under a GitHub Enterprise contract for a US Government as part of the Veteran's Affairs, and this is an obstacle for others on our team being able to test and support other teams requiring these scans. I created a ticket for those at GitHub under that contract, but they directed me here.
To further raise awareness for macOS and Apple Silicon, Rosetta is being phased out. https://github.com/github/codeql-cli-binaries/issues/97#issuecomment-3440682724
Thanks for the feedback, everyone! I work as a PM on the CodeQL team. We've been keen an eye on things and are aware of the move to phase out Rosetta. We will aim to have something in place before that happens as well as adding support for ARM64. I cannot communicate a precise timeline now, but it is something I hope to tackle in the first half of next year.
