[Question] is Cross repo taint analysis in java possible ?

[chmodxxx]

Hello, we perform codeql java analysis on some repos, and in case the referenced package is from another repo we lose information,

I was wondering if it's possible to perform cross repo analysis, and how would that look like ? I wonder if a db build of multiple repos is possible and is that the best solution ?

[jketema]

Hi @chmodxxx, Thanks for your question.

CodeQL does not have facilities to do analysis across repositories. The best way to work around this, is to create a source directory that includes the code from both repositories and run database create on the combined source directory.

[jflo]

I'm interested in tracking taint from hyperledger/besu to apache/incubator-tuweni, which are both multi-module gradle projects. Has anyone attempted to create a database that spans 2 large gradle projects?