Description
Description of the issue
I am working on using CodeQL to find security vulnerabilities in code snippets posted on Stack Overflow. The problem, however, is that most snippets on Stack Overflow are not compilable due to missing import statements for libraries. This means that I need to work around this problem in order to be able to create a CodeQL database.
To work around the problem, I wrote a sample program(GenerateByteCode.java) that uses the Javaassist library to generate class files (.class) for each non-compilable snippet (kind of a way to compile the snippets). This program is a maven-based project and includes all the snippets that cannot be compiled. I configured the maven build to exclude all snippet files in the snippets directory(the directory containing non-compilable snippets).
I was able to successfully create a CodeQL database using --command='mvn clean install'. However, when I try to query e.g all method accesses, I only see the method access of my sample program(i.e GenerateByteCode.java) and not of the snippet files. My explanation for this is that the database was only created for the file that maven can compile.
My question is: Can CodeQL be used to find vulnerabilities in partial programs (e.g stack overflow code snippets) which can't be compiled? Is there a way to workaround this problem?