Update to Docker Integration and Query Upgrades

.github/workflows/CI_pipeline.yml

@@ -121,7 +121,7 @@ jobs:
       - name: Download and Extract CodeQL Bundle
         run: |
           # Download the CodeQL bundle
-          curl -L https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.15.2/codeql-bundle-linux64.tar.gz -o codeql-bundle.tar.gz || exit 1
+          curl -L https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.23.2/codeql-bundle-linux64.tar.gz -o codeql-bundle.tar.gz || exit 1
 
           # Extract the bundle
           tar -xzf codeql-bundle.tar.gz || exit 1
@@ -133,7 +133,7 @@ jobs:
           echo "$(pwd)/codeql" >> $GITHUB_PATH
 
       - name: Update CodeQL Query version in config
-        run: sed -i "s/^CODEQL_QUERY_VERSION = \".*\"$/CODEQL_QUERY_VERSION = \"0.8.0\"/" src/config.py
+        run: sed -i "s/^CODEQL_QUERY_VERSION = \".*\"$/CODEQL_QUERY_VERSION = \"1.8.1\"/" src/config.py
 
       - name: Update JDK Path in dep_configs.json for ${{ matrix.java_version }}
         run: |
@@ -143,7 +143,7 @@ jobs:
 
           case "$CURRENT_JAVA_VERSION" in
             "8")
-              JAVA_HOME_TO_USE="/opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/8.0.462-8/x64"
+              JAVA_HOME_TO_USE="/opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/8.0.472-8/x64"
               ;;
             "11")
               JAVA_HOME_TO_USE="/opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.23-9/x64"
@@ -171,13 +171,13 @@ jobs:
       - name: Build project ${{ matrix.project_slug }}
         run: |
           echo "--- Building ${{ matrix.project_slug }} ---"
-          python scripts/fetch_and_build.py --filter ${{ matrix.project_slug }}
+          conda run -n iris python scripts/fetch_and_build.py --filter ${{ matrix.project_slug }}
           echo "--------------------------------"
 
       - name: Generate CodeQL database for ${{ matrix.project_slug }}
         run: |
           echo "--- Generating CodeQL database for ${{ matrix.project_slug }} ---"
-          python scripts/build_codeql_dbs.py --project ${{ matrix.project_slug }}
+          conda run -n iris python scripts/build_codeql_dbs.py --project ${{ matrix.project_slug }}
           echo "----------------------------------"
 
       - name: Run IRIS for ${{ matrix.project_slug }} with CWE ${{ matrix.cwe }}

Dockerfile

@@ -93,10 +93,11 @@ WORKDIR /iris
 
 # Create conda environment
 RUN conda env remove -n iris || true && \
-    conda env create -f environment.yml
+    conda env create -f environment.yml && \
+    conda clean -afy
 
 # Download and extract CodeQL directly into /iris/
-RUN curl -L -o codeql.zip https://github.com/iris-sast/iris/releases/download/codeql-0.8.3-patched/codeql.zip && \
+RUN curl -L -o codeql.zip https://github.com/github/codeql-cli-binaries/releases/download/v2.23.2/codeql.zip && \
     unzip -qo codeql.zip -d /iris/ && \
     rm -f codeql.zip
 

README.md

@@ -81,7 +81,7 @@ sdk install maven 3.5.0
 
 #### Step 3: Configure CodeQL
 
-IRIS relies on the CodeQL Action bundle, which includes CLI utilities and pre-defined queries for various CWEs and languages ("QL packs").
+IRIS relies on the CodeQL Action bundle, which includes CLI utilities and pre-defined queries for various CWEs and languages ("QL packs"). We suggest using CodeQL version 2.23.2.
 
 If you already have CodeQL installed, specify its location via the `CODEQL_DIR` environment variable in `src/config.py`. Otherwise, download an appropriate version of the CodeQL Action bundle from the [CodeQL Action releases page](https://github.com/github/codeql-action/releases).
 
@@ -90,8 +90,8 @@ If you already have CodeQL installed, specify its location via the `CODEQL_DIR`
   - `codeql-bundle-osx64.tar.gz` for macOS
   - `codeql-bundle-linux64.tar.gz` for Linux
 
-- **For a specific version (e.g., 2.15.0):**
-  Go to the [CodeQL Action releases page](https://github.com/github/codeql-action/releases), find the release tagged `codeql-bundle-v2.15.0`, and download the appropriate bundle for your platform.
+- **For a specific version (e.g., 2.23.2):**
+  Go to the [CodeQL Action releases page](https://github.com/github/codeql-action/releases), find the release tagged `codeql-bundle-v2.23.2`, and download the appropriate bundle for your platform.
 
 After downloading, extract the archive in the project root directory:
 
@@ -107,6 +107,8 @@ Lastly, add the path of this executable to your `PATH` environment variable:
 export PATH="$PWD/codeql:$PATH"
 ```
 
+**Note:** Also adjust the environment variable `CODEQL_QUERY_VERSION` in `src/config.py` according to the instructions therein. For instance, for CodeQL v2.23.2, this should be `1.8.1`.
+
 ### Visualizer
 
 IRIS comes with a visualizer to view the SARIF output files. More detailed instructions can be found in the [docs](https://iris-sast.github.io/iris/features/visualizer.html).

data/build_cmds.csv

@@ -0,0 +1,6 @@
+project_slug,build_cmd
+spring-projects__spring-security_CVE-2011-2732_2.0.6.RELEASE,mvn -q -B -DskipTests compile
+x-stream__xstream_CVE-2013-7285_1.4.6,mvn -q -B -DskipTests compile
+spring-security_CVE-2025-22223_6.4.3,"./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off -Dorg.gradle.warning.mode=none -Dorg.gradle.caching=false --rerun-tasks -x compileKotlin -x compileTestKotlin clean classes"
+incubator-seata_CVE-2025-32897_v2.2.0,mvn -q -B -DskipTests compile
+cassandra-lucene-index_CVE-2025-26511_cassandra-4.0.16-1.0.0,mvn clean package -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip -DskipTests -Dmaven.test.skip.exec -Dlicense.skip=true -Drat.skip=true -Dspotless.check.skip=true