Hi @sschuberth,

I've raised this issue internally. The team is investigating and will get back to you with next steps soon.

Hello @sschuberth,

I could reproduce your java.lang.OutOfMemoryError: Java heap space issue locally with the following build command ./gradlew clean classes -x :reporter-web-app:yarnBuild. To some extent, it's expected that the analysis takes more memory than a normal build. We're going to investigate if we can improve on our memory footprint. For the time being, I was able to overcome the issue by adding -Dorg.gradle.jvmargs=-Xmx1g to the build command.

Let us know if this doesn't unblock you.

Hi @LeShadow,

Good question! No, Kotlin is part of our Java support. You only have to enable java, which from now on automatically includes Kotlin (even for Kotlin-only projects).

@turbo thank you for the clarification!

I did a test run on one of our repositories, and either we have super good code quality or I am missing something. Because I have no alerts whatsoever on an entire codebase. Is this possible with the default settings?

@LeShadow To check if CodeQL has successfully analyzed Kotlin code, take a look at the Actions logs for the workflow. It should include a section on "analyzed LoC" (lines of code). If those roughly match the expected count, the analysis worked as intended.

If that's the case you can then take a look at increasing the number of queries run by, for example, enabling the security-extended query suite.

A note on:

super good code quality

Just to avoid confusion: CodeQL's focus is code security, not code quality. So while extended the number of queries run may flag up additional security alerts, it won't include quality checks. For that use case, we recommend running additional quality tools that integrate with GitHub code scanning, such as Detekt.

If you still encounter problems after following these steps, please open an issue and the team will assist 🙂.

No, Kotlin is part of our Java support. You only have to enable java, which from now on automatically includes Kotlin (even for Kotlin-only projects).

How about simply defining "kotlin" as an alias for "java" to avoid some potential user confusion? Also, if users would start using "kotlin" already now, that would allow you guys to seamlessly introduce Kotlin-specific checks in the future.

@sschuberth Thanks for the feedback. The mapping is automatically done when code scanning is set up via the UI for the first time on a repo containing Kotlin and we're considering various ways of making this more seamless for our integrated languages (Java/Kotlin, JS/TS).

https://github.com/github/codeql-cli-binaries/releases

Since that has been released, with tools: latest you should see CodeQL 2.12.3 in use and Kotlin 1.8.10 supported.

@smowton I'm still seeing this with tools: latest in a PR that I've created about 1 hour ago.

Apologies, I missed that in fact we need both a CLI binary (released yesterday) and a corresponding bump to https://github.com/github/codeql-action/tree/releases/v2, which typically follows around a day or two later.

Edit: said bump has now been applied. Rerunning your workflow ought to work.

Confirmed, thanks for the heads-up!

What looks a bit weird is that you set up gradle-build-action, but when use a manual run step to build (instead of passing arguments to gradle-build-action). Though I don't think that should be the root cause of things not working in your case. Anyway, this works for us.

I have another repo where that works fine. With this one I'm noticing a warning "Timed out waiting for analysis to finish processing"

Probably a memory issue. Try increasing the memory for building similar to like we did.

@eygraber, were you able to solve this? I assume you fixed it by disabling the build cache in eygraber/portal@182ac6e, right?

Yes, sorry I forgot I had two places where I was discussing this. Disabling the caching solved the problem.

That's right. That could change in the future, but right now our support works as part of a combined Java/Kotlin JVM languages analysis.

Thanks for heads up.