Codeql bundle include unlicensed Oracle java

[ckrueger1979]

Hello,

the codeql bundle includes an unlicensed Oracle java
codeql-bundle-win64.tar.gz\codeql-bundle-win64.tar\codeql\java\tools\win64\jdk-extractor-java\bin\java.exe

Microsoft has an own build of java without any license trouble, please use that or do not bundle java at all:
https://www.microsoft.com/openjdk

[adityasharad]

Hi - thanks for the suggestion.

CodeQL includes two JDKs, one OpenJDK from the Eclipse Adoptium project (used to run the CodeQL CLI), and one OpenJDK from Oracle (used for CodeQL Java analysis specifically), both licensed under the GNU General Public License, version 2, with the Classpath Exception. The use of OpenJDK and its license is mentioned in the Open-Source-Notices/NOTICES file shipped within the CodeQL CLI artifact.

We regularly update both to keep up with recent versions and handle the environments and language features we need to support. I'm happy to update that notice to make it clearer where we obtain the JDKs from. One constraint we have for the second JDK (used for CodeQL Java analysis specifically) is that we frequently need to use pre-release or newly-released versions, which are not always available in the Adoptium or Microsoft OpenJDK distributions.

I hope this addresses your concern. If you have further questions please feel free to comment or contact me directly over email.