Language not scannable
Question
What does the CodeQL scan issue “Language not scannable” mean and how can I detect it?
Answer
This scan issue indicates that the application includes source code written in programming languages that are not scannable using CodeQL, but are scannable using Fortify. This means that code, i.e., that portion of the codebase for a given application, has not been scanned for potential security issues as a result of code scanning tool selection that has been made by the project.
How to detect
Three sets of information are required to determine if this is an issue:
- Which languages are used in the application
- Which languages does CodeQL scan
- Which languages does Fortify scan
If there are languages that are in use by the application that Fortify can scan but CodeQL cannot scan, then this issue applies.
Now let’s look at where we can find each of these.
1. Which lanaguages are used in the application
GitHub’s Language API can be used as a first approximation to determine which languages are used by the applciation. While this can be accessed as an API call, a summary of the languages used is provided on the main page for each repository.
The main languages used are shown at the bottom of the right-hand column of the main repository page. Langauges that only represent a small portion of the code may be grouped into “Other”, however some of those in “Other” may need to be scanned.
Note: Infrastructure as Code (IaC) files won’t be able to be detected using this method; manual searches for files with e.g., “dockerfile” will need to be performed.
2. Which languages does CodeQL scan
This information can be found on GitHub’s CodeQL Supported Languages and Frameworks page.
3. Which languages does Fortify scan
This information can be found in the Fortify System Requirements documentation. Links to get Fortify documentation is provided in this technical note.