Note: This documentation is for the legacy command-line tool odasa.
The final version was released in May 2020. Support for this tool expires in May 2021.

For documentation on the new generation CodeQL CLI, see CodeQL CLI .
In particular, you may find the Notes for legacy QL CLI users useful in planning your migration.

Skip to end of metadata
Go to start of metadata

This tutorial helps you use the bootstrap command to create a new project for a JavaScript code base.




In this tutorial you will create a snapshot to allow you to analyze the PDF.js code base. PDF.js is a Portable Document Format (PDF) viewer that is built with HTML5. It is written in JavaScript.

The tutorial covers basic use of the odasa bootstrap tool to retrieve source files, start code analysis and export a snapshot of the project. 

Time needed: 10–15 minutes


This tutorial assumes:

Create a new project with odasa bootstrap

The quickest way to create a new Semmle analysis project is to use the odasa bootstrap command. The bootstrap tool steps you through the process and generates configuration files that you can reuse later. The process described here gives the steps required to analyze a particular JavaScript project. Other projects will require different responses to some of the bootstrap prompts.

The bootstrap tool's on-screen instructions indicate what you should enter at each step. However, the first time you run it, you may find it useful to refer to the following procedure for some additional information.

  1. Open a command console.

  2. Change to the directory where Semmle Core is installed—for example, /opt/odasa.
  3. Make sure the environment is set up correctly:

    Linux and OS X source
    Windows setup.bat

    See Setting up the environment.
  4. Enter the following command to start the bootstrap tool:

    odasa bootstrap

    The tool guides you through the rest of the process. The remainder of the steps provided below give some additional guidance that you may find useful the first time you run the bootstrap tool.

    For additional on-screen information, enter ? at any of the prompts.

  5. Project name

    Output from the bootstrap command
     *** ODASA Bootstrap ***
     (c) Semmle ltd. 
    Welcome to the ODASA bootstrap utility, which is designed to help you get started by generating a basic configuration file for a new project. 
    You will be prompted for a series of choices, which will determine the configuration that will be generated. Any time you are prompted for input, you can just enter '?' to see a more detailed explanation of the possible inputs. 
    Please enter the project name: >

    Enter:  PDF.js

  6. Project language

    Output from the bootstrap command
    What is the project language?
    	- Java [j]:                   The project is implemented using Java.
    	- C/C++ [c]:                  The project is implemented using C or C++.
    	- C# [C]:                     The project is implemented using C#.
    	- Python [p]:                 The project is implemented using Python.
    	- JavaScript/Typescript [J]:  The project is implemented using JavaScript and/or TypeScript.
        - Other [o]:                  The project is implemented using another programming language.
    [j|c|C|b|p|J|o|?] > 
    The PDF.js  project is written in JavaScript.
    Enter: J


    • Make sure to enter a capital J for JavaScript and not a lowercase j for Java.
    • The languages listed here depend on your Semmle license and the version of the Semmle software you have installed. If you do not see the JavaScript option, check that your Semmle license includes JavaScript.
  7. Project source

    Output from the bootstrap command
    How should ODASA obtain the project source?
    	- Subversion [s]: The source is in Subversion.
    	- git [g]:        The source is in git.
    	- Mercurial [m]:  The source is in Mercurial.
    	- Detached [d]:   The build should be done in a detached source directory.
    [s|g|m|d|?] > 

    The PDF.js project uses Git as the version control system for its source code.
    Enter: g

  8. Source location

    Output from the bootstrap command
    Git repository URL: > 

    The PDF.js  project stores its source code in GitHub. 


    Providing the bootstrap tool with the URL of the repository makes it possible to automatically download the latest version of the software each time an analysis is triggered.

  9. Branch

    Output from the bootstrap command
    Git branch or ref: [default: <empty>] > 

    Press Enter without specifying a branch name.

    The bootstrap tool will default to cloning the code from the "master" branch for the project.

  10. Configure TypeScript analysis
    Decide whether or not you want to include any TypeScript files (.ts or .tsx) in the analysis. At the time of writing, this example project contains no TypeScript files.
    Enter: n

    If you want to analyze TypeScript files in a project, you need to ensure that Node.js is installed, see Customizing JavaScript extraction for more information.

  11. What to extract

    Output from the bootstrap command
    Files or directories to extract: [default: .] >

    Press Enter without specifying a command.

    This causes all of the PDF.js code base to be extracted, rather than just specific directories or files. 

  12. Creating a snapshot

    You have now supplied all the information needed for the project file that is used each time a snapshot is generated. You can now go ahead and create a snapshot. 

    Output from the bootstrap command
    Do you want to automatically add a snapshot to the project?
     - Yes [y]: Add the latest snapshot to the project.
     - No [n]:  Do not add the latest snapshot to the project.
    [y|n|?] >

    Enter: y

    This tells the bootstrap tool that you want to clone the current PDF.js source files from GitHub and generate files needed to build a Semmle snapshot. This command will be run at the end of the bootstrap process.

  13. Running a set of analyses

    Output from the bootstrap command
    Do you want to run a set of analyses against the snapshot?
     - Yes [y]: Run an analysis suite on the snapshot.
     - No [n]:  Do not analyze the snapshot at this time.
    [y|n|?] >

    Enter: y

    This tells the bootstrap tool that you want to run a set of queries to analyze the snapshot. This command will be run at the end of the bootstrap process. 

  14. Specifying an analysis suite

    Output from the bootstrap command
    Which analysis suite should be applied? Leave blank for a default set. [default: <empty>] >

    If you press Enter without specifying a suite the bootstrap tool will run the standard set of JavaScript queries.

    Alternatively, you can tell the bootstrap tool to run the same queries that are run on LGTM by specifying the LGTM query suite for JavaScript: queries/customer/default/javascript-lgtm

  15. Exporting the database archive

    Output from the bootstrap command
    Do you want to export a database for a freshly created snapshot?
     - Yes [y]: Export a database archive for the snapshot.
     - No [n]: Do not export a database archive for the snapshot.
    [y|n|?] >

    Enter: y

    This tells the bootstrap tool to create a zip archive containing a snapshot in your project directory. This command will be run at the end of the bootstrap process. 

    The bootstrap tool now:

    • Clones the current PDF.js source files from GitHub, and generates files needed to build the snapshot.
    • Indexes the code base, builds a snapshot, performs JavaScript analysis, and saves the results of the analysis in a SARIF results file in the project directory.
    • Exports the snapshot as a zip archive. You can use this snapshot to run queries in your IDE, for example using the QL for Eclipse plugin.

    Completing these operations will take a few minutes.

    When the bootstrap tool finishes, it displays a message like this:

    Output from the bootstrap command
    [2018-05-18 13:41:43] [analysis]  Completed analysis for PDF.js - revision-2018-May-18--13-29-37 in 7 minutes.
    [2018-05-18 13:41:43] [analysis] PDF.js - revision-2018-May-18--13-29-37: 169 total, 169 succeeded (7:28 minutes)
    [2018-05-18 13:41:43] [analyzeSnapshot] Interpreting query results into analysis results
    Analysis results written to C:\odasa\projects\PDF.js\javascript.sarif.
    [2018-05-18 13:41:51] [export] Extracting source
    Snapshot database exported to C:\odasa\projects\PDF.js\
    Project configuration complete. 

    Now you can view the analysis results in a SARIF viewer, or import the snapshot database into your IDE and run additional analyses.

Problem solving

If error messages are reported, you can investigate the problem by reviewing the log files:

  • ...\projects\PDF.js\log.log
  • ...\projects\PDF.js\revision--<date>-<time>\log\build.log
  • ...\projects\PDF.js\revision--<date>-<time>\log\import.log
  • ...\projects\PDF.js\revision--<date>-<time>\log\analysis.log

Before rerunning the bootstrap process, enable prototyping mode. This will help with any further troubleshooting you need to do.

What next?

Spend some time investigating the analysis of the PDF.js code base. This will help you familiarize yourself with the standard rules available for JavaScript analysis. 

Query the snapshot in your IDE

If you install a QL plugin or extension, you can easily write custom queries to analyze snapshots and view the results directly in your IDE. 

Create more snapshots

Use the bootstrap tool to create a project for your own code base.

Work through the tutorial on advanced project creation to see some examples of the available configuration options.