Let codeql scan node_module path.
mvn packages
Edit codeql-home/codeql/javascript/tools/autobuild.sh, modify here:
env SEMMLE_DIST="$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT" \
LGTM_SRC="$(pwd)" \
"${CODEQL_JAVA_HOME}/bin/java" $jvm_args \
-cp "$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT/tools/extractor-javascript.jar" \
com.semmle.js.extractor.AutoBuildto
env SEMMLE_DIST="$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT" \
LGTM_SRC="$(pwd)" \
"${CODEQL_JAVA_HOME}/bin/java" $jvm_args \
-cp "$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT/tools/extractor-javascript.jar" \
-javaagent: ${THIS_PROJECT_DIR}/target/codeqlagent-1.0-SNAPSHOT.jar \ # Add the agent (change the `THIS_PROJECT_DIR` to actual path)****
com.semmle.js.extractor.AutoBuildSupport CodeQL toolchain version: <=2.20.1. Beyond that I haven't test but maybe still work.
If you want to scan all files (including nested node_modules and hidden files), set directories that have those files to environment variable LGTM_INCLUDE_DIRS:
export LGTM_INCLUDE_DIRS="." # use \n to separate multiple directoriesThen run the codeql command to build database:
codeql database create --language=javascript codeql-database --source-root="$TARGET_DIR" --overwrite