From a12aebb565c7c3e3a5d57688f33e6d0bbf4f4f27 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 29 Sep 2025 17:41:45 +0000
Subject: [PATCH 01/14] Initial plan
From fbbaa2eea6eadae9bd93bf4bf9c6671cbb95ae68 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 29 Sep 2025 17:49:48 +0000
Subject: [PATCH 02/14] Add Java application with multiple vulnerability
patterns and CodeQL workflow
Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
---
.github/workflows/codeql-analysis.yml | 49 +++++++++
pom.xml | 72 +++++++++++++
.../example/app/VulnerableApplication.java | 38 +++++++
.../com/example/database/UserDatabase.java | 70 ++++++++++++
.../com/example/security/CryptoUtils.java | 77 ++++++++++++++
.../java/com/example/web/FileController.java | 100 ++++++++++++++++++
.../example/VulnerableApplicationTest.java | 44 ++++++++
.../example/app/VulnerableApplication.class | Bin 0 -> 1953 bytes
.../com/example/database/UserDatabase.class | Bin 0 -> 2886 bytes
.../com/example/security/CryptoUtils.class | Bin 0 -> 2728 bytes
.../com/example/web/FileController.class | Bin 0 -> 3668 bytes
.../compile/default-compile/createdFiles.lst | 4 +
.../compile/default-compile/inputFiles.lst | 4 +
.../default-testCompile/createdFiles.lst | 1 +
.../default-testCompile/inputFiles.lst | 1 +
...-com.example.VulnerableApplicationTest.xml | 59 +++++++++++
.../com.example.VulnerableApplicationTest.txt | 4 +
.../example/VulnerableApplicationTest.class | Bin 0 -> 1938 bytes
18 files changed, 523 insertions(+)
create mode 100644 .github/workflows/codeql-analysis.yml
create mode 100644 pom.xml
create mode 100644 src/main/java/com/example/app/VulnerableApplication.java
create mode 100644 src/main/java/com/example/database/UserDatabase.java
create mode 100644 src/main/java/com/example/security/CryptoUtils.java
create mode 100644 src/main/java/com/example/web/FileController.java
create mode 100644 src/test/java/com/example/VulnerableApplicationTest.java
create mode 100644 target/classes/com/example/app/VulnerableApplication.class
create mode 100644 target/classes/com/example/database/UserDatabase.class
create mode 100644 target/classes/com/example/security/CryptoUtils.class
create mode 100644 target/classes/com/example/web/FileController.class
create mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
create mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
create mode 100644 target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst
create mode 100644 target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst
create mode 100644 target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml
create mode 100644 target/surefire-reports/com.example.VulnerableApplicationTest.txt
create mode 100644 target/test-classes/com/example/VulnerableApplicationTest.class
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000..26abf65
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,49 @@
+name: "CodeQL Analysis"
+
+on:
+ push:
+ branches: [ "main", "master" ]
+ pull_request:
+ branches: [ "main", "master" ]
+ schedule:
+ - cron: '15 2 * * 1' # Weekly on Mondays at 2:15 AM
+
+jobs:
+ analyze:
+ name: Analyze Java Code
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'java' ]
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ - name: Set up JDK 11
+ uses: actions/setup-java@v3
+ with:
+ java-version: '11'
+ distribution: 'temurin'
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: ${{ matrix.language }}
+ queries: +security-and-quality
+
+ # Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
+ # If this step fails, remove it and run the build manually instead
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v2
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:${{matrix.language}}"
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..aa21bec
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,72 @@
+
+
+ 4.0.0
+
+ com.example
+ vulnerable-app
+ 1.0.0
+ jar
+
+ Vulnerable Java Application
+ A simple Java application with intentional vulnerabilities for CodeQL scanning demonstration
+
+
+ 11
+ 11
+ UTF-8
+
+
+
+
+
+ mysql
+ mysql-connector-java
+ 8.0.33
+
+
+
+
+ org.springframework
+ spring-web
+ 5.3.21
+
+
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+ 2.13.3
+
+
+
+
+ junit
+ junit
+ 4.13.2
+ test
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+ 3.8.1
+
+ 11
+ 11
+
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+ 3.0.0-M7
+
+
+
+
\ No newline at end of file
diff --git a/src/main/java/com/example/app/VulnerableApplication.java b/src/main/java/com/example/app/VulnerableApplication.java
new file mode 100644
index 0000000..0de280f
--- /dev/null
+++ b/src/main/java/com/example/app/VulnerableApplication.java
@@ -0,0 +1,38 @@
+package com.example.app;
+
+import com.example.database.UserDatabase;
+import com.example.security.CryptoUtils;
+import com.example.web.FileController;
+
+/**
+ * Main application class demonstrating various Java vulnerabilities
+ * that should be detected by CodeQL scanning.
+ */
+public class VulnerableApplication {
+
+ public static void main(String[] args) {
+ System.out.println("Starting Vulnerable Application...");
+
+ // Demonstrate various vulnerable components
+ UserDatabase userDb = new UserDatabase();
+ CryptoUtils crypto = new CryptoUtils();
+ FileController fileController = new FileController();
+
+ // Example usage that would trigger vulnerabilities
+ String userInput = args.length > 0 ? args[0] : "admin";
+ String password = args.length > 1 ? args[1] : "password123";
+
+ // SQL Injection vulnerability
+ userDb.authenticateUser(userInput, password);
+
+ // Weak cryptography
+ String token = crypto.generateToken();
+ System.out.println("Generated token: " + token);
+
+ // Path traversal vulnerability
+ String filename = args.length > 2 ? args[2] : "../../etc/passwd";
+ fileController.readFile(filename);
+
+ System.out.println("Application completed.");
+ }
+}
\ No newline at end of file
diff --git a/src/main/java/com/example/database/UserDatabase.java b/src/main/java/com/example/database/UserDatabase.java
new file mode 100644
index 0000000..7e7c216
--- /dev/null
+++ b/src/main/java/com/example/database/UserDatabase.java
@@ -0,0 +1,70 @@
+package com.example.database;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.Statement;
+
+/**
+ * Database class with intentional SQL injection vulnerabilities
+ * to demonstrate CodeQL detection capabilities.
+ */
+public class UserDatabase {
+
+ private static final String DB_URL = "jdbc:mysql://localhost:3306/testdb";
+ private static final String DB_USER = "root";
+ private static final String DB_PASSWORD = "password";
+
+ /**
+ * VULNERABLE: SQL Injection vulnerability - user input directly concatenated
+ * This should trigger a high/critical CodeQL alert
+ */
+ public boolean authenticateUser(String username, String password) {
+ try {
+ Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD);
+ Statement stmt = conn.createStatement();
+
+ // VULNERABILITY: Direct string concatenation leads to SQL injection
+ String query = "SELECT * FROM users WHERE username = '" + username +
+ "' AND password = '" + password + "'";
+
+ System.out.println("Executing query: " + query);
+ ResultSet rs = stmt.executeQuery(query);
+
+ boolean authenticated = rs.next();
+
+ rs.close();
+ stmt.close();
+ conn.close();
+
+ return authenticated;
+
+ } catch (Exception e) {
+ System.err.println("Database error: " + e.getMessage());
+ return false;
+ }
+ }
+
+ /**
+ * VULNERABLE: Another SQL injection point
+ */
+ public void updateUserProfile(String userId, String email, String fullName) {
+ try {
+ Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD);
+ Statement stmt = conn.createStatement();
+
+ // VULNERABILITY: String concatenation in UPDATE statement
+ String updateQuery = "UPDATE users SET email = '" + email +
+ "', full_name = '" + fullName +
+ "' WHERE user_id = " + userId;
+
+ stmt.executeUpdate(updateQuery);
+
+ stmt.close();
+ conn.close();
+
+ } catch (Exception e) {
+ System.err.println("Update failed: " + e.getMessage());
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/main/java/com/example/security/CryptoUtils.java b/src/main/java/com/example/security/CryptoUtils.java
new file mode 100644
index 0000000..1bbdc04
--- /dev/null
+++ b/src/main/java/com/example/security/CryptoUtils.java
@@ -0,0 +1,77 @@
+package com.example.security;
+
+import java.util.Random;
+import java.security.MessageDigest;
+
+/**
+ * Security utilities with intentional cryptographic vulnerabilities
+ * to demonstrate CodeQL detection capabilities.
+ */
+public class CryptoUtils {
+
+ // VULNERABLE: Using weak random number generator
+ private static final Random random = new Random();
+
+ /**
+ * VULNERABLE: Uses weak random number generation for security tokens
+ * This should trigger a CodeQL alert for insecure randomness
+ */
+ public String generateToken() {
+ StringBuilder token = new StringBuilder();
+
+ // VULNERABILITY: Using java.util.Random for security-sensitive operations
+ for (int i = 0; i < 32; i++) {
+ int randomChar = random.nextInt(36);
+ if (randomChar < 10) {
+ token.append((char) ('0' + randomChar));
+ } else {
+ token.append((char) ('a' + randomChar - 10));
+ }
+ }
+
+ return token.toString();
+ }
+
+ /**
+ * VULNERABLE: Uses weak random for session IDs
+ */
+ public String generateSessionId() {
+ // VULNERABILITY: Predictable session ID generation
+ long sessionId = System.currentTimeMillis() + random.nextInt(1000);
+ return Long.toString(sessionId);
+ }
+
+ /**
+ * VULNERABLE: Weak hash function usage
+ */
+ public String hashPassword(String password) {
+ try {
+ // VULNERABILITY: Using MD5 for password hashing (weak algorithm)
+ MessageDigest md = MessageDigest.getInstance("MD5");
+ byte[] hash = md.digest(password.getBytes());
+
+ StringBuilder hexString = new StringBuilder();
+ for (byte b : hash) {
+ String hex = Integer.toHexString(0xff & b);
+ if (hex.length() == 1) {
+ hexString.append('0');
+ }
+ hexString.append(hex);
+ }
+
+ return hexString.toString();
+
+ } catch (Exception e) {
+ System.err.println("Hashing failed: " + e.getMessage());
+ return password; // VULNERABILITY: Fallback to plaintext
+ }
+ }
+
+ /**
+ * VULNERABLE: Hard-coded encryption key
+ */
+ public String getEncryptionKey() {
+ // VULNERABILITY: Hard-coded secret key
+ return "MySecretKey123456789";
+ }
+}
\ No newline at end of file
diff --git a/src/main/java/com/example/web/FileController.java b/src/main/java/com/example/web/FileController.java
new file mode 100644
index 0000000..2938743
--- /dev/null
+++ b/src/main/java/com/example/web/FileController.java
@@ -0,0 +1,100 @@
+package com.example.web;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.io.FileWriter;
+
+/**
+ * File controller with intentional path traversal vulnerabilities
+ * to demonstrate CodeQL detection capabilities.
+ */
+public class FileController {
+
+ private static final String BASE_DIR = "/tmp/uploads/";
+
+ /**
+ * VULNERABLE: Path traversal vulnerability - no input validation
+ * This should trigger a high/critical CodeQL alert
+ */
+ public String readFile(String filename) {
+ try {
+ // VULNERABILITY: Direct concatenation allows path traversal attacks
+ File file = new File(BASE_DIR + filename);
+
+ System.out.println("Reading file: " + file.getAbsolutePath());
+
+ if (!file.exists()) {
+ System.out.println("File does not exist: " + filename);
+ return null;
+ }
+
+ StringBuilder content = new StringBuilder();
+ try (BufferedReader reader = new BufferedReader(
+ new InputStreamReader(new FileInputStream(file)))) {
+
+ String line;
+ while ((line = reader.readLine()) != null) {
+ content.append(line).append("\n");
+ }
+ }
+
+ return content.toString();
+
+ } catch (Exception e) {
+ System.err.println("Error reading file: " + e.getMessage());
+ return null;
+ }
+ }
+
+ /**
+ * VULNERABLE: Another path traversal vulnerability in file writing
+ */
+ public boolean writeFile(String filename, String content) {
+ try {
+ // VULNERABILITY: No validation on filename parameter
+ File file = new File(BASE_DIR + filename);
+
+ // Create parent directories if they don't exist
+ file.getParentFile().mkdirs();
+
+ try (FileWriter writer = new FileWriter(file)) {
+ writer.write(content);
+ }
+
+ System.out.println("File written: " + file.getAbsolutePath());
+ return true;
+
+ } catch (Exception e) {
+ System.err.println("Error writing file: " + e.getMessage());
+ return false;
+ }
+ }
+
+ /**
+ * VULNERABLE: Command injection vulnerability
+ */
+ public String executeCommand(String userCommand) {
+ try {
+ // VULNERABILITY: Direct execution of user input
+ Process process = Runtime.getRuntime().exec("sh -c " + userCommand);
+
+ StringBuilder output = new StringBuilder();
+ try (BufferedReader reader = new BufferedReader(
+ new InputStreamReader(process.getInputStream()))) {
+
+ String line;
+ while ((line = reader.readLine()) != null) {
+ output.append(line).append("\n");
+ }
+ }
+
+ return output.toString();
+
+ } catch (Exception e) {
+ System.err.println("Command execution failed: " + e.getMessage());
+ return null;
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/test/java/com/example/VulnerableApplicationTest.java b/src/test/java/com/example/VulnerableApplicationTest.java
new file mode 100644
index 0000000..86750ac
--- /dev/null
+++ b/src/test/java/com/example/VulnerableApplicationTest.java
@@ -0,0 +1,44 @@
+package com.example;
+
+import com.example.app.VulnerableApplication;
+import com.example.database.UserDatabase;
+import com.example.security.CryptoUtils;
+import com.example.web.FileController;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ * Basic tests to verify the application compiles and runs
+ */
+public class VulnerableApplicationTest {
+
+ @Test
+ public void testUserDatabaseCreation() {
+ UserDatabase db = new UserDatabase();
+ assertNotNull("UserDatabase should be created", db);
+ }
+
+ @Test
+ public void testCryptoUtilsCreation() {
+ CryptoUtils crypto = new CryptoUtils();
+ assertNotNull("CryptoUtils should be created", crypto);
+
+ String token = crypto.generateToken();
+ assertNotNull("Token should be generated", token);
+ assertTrue("Token should have length", token.length() > 0);
+ }
+
+ @Test
+ public void testFileControllerCreation() {
+ FileController controller = new FileController();
+ assertNotNull("FileController should be created", controller);
+ }
+
+ @Test
+ public void testHashPasswordReturnsValue() {
+ CryptoUtils crypto = new CryptoUtils();
+ String hash = crypto.hashPassword("testpassword");
+ assertNotNull("Hash should not be null", hash);
+ assertTrue("Hash should have content", hash.length() > 0);
+ }
+}
\ No newline at end of file
diff --git a/target/classes/com/example/app/VulnerableApplication.class b/target/classes/com/example/app/VulnerableApplication.class
new file mode 100644
index 0000000000000000000000000000000000000000..3be2df5332ec19f12483b5a1519041ebc079724a
GIT binary patch
literal 1953
zcma)7Yf~Fl7=8}9Y)HeUpvH;bM!IIoTXxo6YXd?nx{9
zNBra`XZ&nG(3vvB5AZi>$M17#H**i6it$HTBI~y2@IKz
z{@62ZS(TpP%~Arx4D(gVJ!#s<*@Kp43y;?Plx{nwFo$loEZ9VYXZJrKstfrX|XbEj`DwgqOq&A_=_D5aacx
zX(uqpaLMJq|I+d5H`i_{r`J+gz#?JDTk=HMQl&3cWDH9o35BHiOa-)*!ZLCUL&rja
zDaD@C5CqDV4hZsvhr|1g>oqmNh
z^dP^w%Kc^vYsy7}s$N&nB=8}_L|2g&)>INH>IDtA85X+%<*uv0<3^VjL$vJF1;a?i
zw8d_#Srgu#;txZ*;uzdI;GU`OosUs@Vp2X!mH%bEMCO~^B+Iy
z$TKxcOVO&vaIME*DC@{q+z6OO4bdYWMm&-p{-K9q#MU0Ieh!k(pbBW)c2z^B`xB!2
z{7Xq9s%+CHq5RmqNstavqZ*AJ?gnUT*y-)}pwAeRRj1_{LRFbzI<#yB)xV^C&vB$L
zJ?`!ZdE(UlkvN_tQN^ByeML$Fc;VgrG3^%=lHTs;HcvOXAsz3O;g@cPb_Cl-A8@;F
z34fvDIE|KD>d(6COON8-sVhRnyDQzEh^6jU=$I&T%c`1E(1iP%u-@vlVm%w6TFf$r
z)V59iS+-~h2w%eyalS9tuoN_WOY`QxMTt!9d@+ZQXrQZ~0Z>s9r}YlqblMs1vHWYW
zKZ56vX;sglQT_?7skQ)$DA8>Y>-dzukTQFS2#tN<=U33uLuVK{$N1CNn5>**iuUQ9
zbIj0wbvJ+UD+cqCwcim-&laQki|B83j|TT_F}9M4W@2ZUKfG~<>%}-(%f#Ox50J_H
zMNG-Y0@*@QTg_-^_~1}^yhYC{m({!6530*)bz3CeI1pJ5sga230l
z#SvlAz&t#fvOi%lNbyNK4csM3kah!~V}p{Mf`NM|6J}Y`yN@r(myQZHv4tqfu9MX*
zLUR|Z*rrpQG)M7}P8z->OF6{fVnxHahA9m*8yYHqVTe|B`Wrb~I~Ov%O9}&cgvYce
V$oW_FcZjESOVa5XzQK3M`~xSi1VaD-
literal 0
HcmV?d00001
diff --git a/target/classes/com/example/database/UserDatabase.class b/target/classes/com/example/database/UserDatabase.class
new file mode 100644
index 0000000000000000000000000000000000000000..833b10ffa377b92bb2fc5eb216a1e220af50a496
GIT binary patch
literal 2886
zcmb7GTU!%X6kP|BObnq&6cx2PqTIpQ+M*^}DRY@U1t(PtbCTfoH>_$_FjAK%b7p^-uWHC75o%I0~$31q6i`+
zaCqH#WW+6_xEh~XUY9vfAavaE(%Qbr1u=idX8CK
zO&(;Yw<4r0?5RsO;TVo@9ucC4pPU2Q)ZBjKl`
zcpYa1ju(s#Ni8|UTQt2j&RowZdal6L19?z2;K!-z<{{`fr=cT?^SJOrAhTO8p)r1T
zndsUou9|jymh^bMEsX-f33MrN-TdwYVIPAL^rBBge-r~4+-2uQwE|j68L=3ew*9m&
zG$D>l8s3QFOdIGFSHG-LiDH1bX&Uv=_gObjy~Pl^(lnfhDO|0)ZY=fy^nAIBY*34EAUfMOk;*+
zQe|+y#A+p&ePb~hLjYZ@_wmuC`AnLGy=_|4dIFlJC
zv14|g$1Q2ID5uMXW$DZr%NBQHY1If8498UK>Sn-OGnxG7)Bo97l1y!*?5(lVOjeIn
zT}Pn%K)m(dBd#3VMXd_{Rq#A^y#n*$=w3e65|NgJ4=X9y;1Fz`Of8`((_D`(FCb`C
zD9-EHtfdd-!)1C=jedckMu)*4e7Ihu#H7sG_f0
zMtduQl+D8(}+GQsvCw!Bw3czk>zo;sdF&Jgfc0I=^O-XOf&buuk
zcoCHGNW){5%$oui_FA!7d}MFPcm+$P?@bsv&sO#PbG=7Z!HUvbMlo+m_d?pXH_D|~
zH}V%Q&TWWjBh
znUp_Qfzxm3-J)9`nI6}7->=G67@soVQ-1g2OQieRlh8#Np9{3^GODv}*p9#brNHp~
z?D)uBMY*eIQ**i>or=N%U4>|=&gdSJB{NSU>i(M1sT8`t!nn#jRkMjs@|ASPEIzQ(
z)$pA_=S$()k97?{2%LGfD0@aFL^ubHEe-5wCvg`UJ}OzR8gPi~xw>@|*YkDjX5L^T
zBE)flH{$#XeuI6#LOk_VEOJ!GKosx!qc4E>agQs3`*^^SmqjO)g}EnVhhj~!=HJjV
zJ-CfFfkdExU1P-je2(!Q-14tBKJg)C=;tuaDv(2H=6C`T{x!sKn)c43htI@ibl^HJ@U7^?
zZFFIlyIJ&+mwx2KH=uwE$hkefj3VY4-GzwME(KA6#klBm}MAbK~PsEqM}(8T}43!MCD=tchv}D47oV$w!0&{Gn<(~As2Jg
z+>?hq$Tt^mL6g+h&UBwXea?5jb58gC`q!f;0FK~0
z6%~jmh-#=rl|cNOeqB!$bu*tjH+4;BU4g1z!!+DJfk?7#LP1Pm1hdP0ltW`?MS-n&)%9JCsGq&N*r3UP|vTI#*jiN&bwr=LEl0ZY+
zH#|de>VhxpQBjWu1?x35qG=J{3Izehl(X)LNubf>NZW{qVWWmkNYJoeE=w~fur)c*
z7TES9TLqdf6l~G370m)M*9sN|8k1|cPyDt2MFf|or6F8cyIO30jVvS(ABb6R>Ly%h^Tdo0!M7
zkUdcS8U`>(7e#62-Ga}opYhXP#$OTG_u^QelX(Rr0_&IY49#X`*)=S)nrS|xA&m@O
zNSg?o0zih9I?sZ4303MP5;cr-8qRyAqmq&^4-IUs3mV2S&R!|$({jKvv$}i9a0?uH
zd2vbH?*E0AJ|=KU!D|{WDAF%>e?n^c!L$4nH!T?Te@fD+`*1R
zhdaBD96jbWScF*|uyU-Gy0l@+voobBX^-nuMM@gdR#q=g=(gd_Lt)e{cy+xa{a?-9
zBT$={rnGfej$6}`0M($|2MRiA6-Pmm>u^yL8N~CMO9e#-v2qAQ!3=wf)iPveyRkK1uN&&RpDb5pWsskx4go;Ezr7L*M@nW^rixoK`oxvv#w>+
z>kljIB~%QI4)X*qN~bk#S<^G+o;8_SDOt5~e6B24E(U&kCRbPp?v}-4$mc3FF`yTV
zV}>hxV)&eg#W0EH1=Dg>Cl|Ty7Qvj3m@KG)BI%Tlg0BR2tqJvc5h(aZ;H7_8<Wl(1>O#o02Nm_)&d3SnBq(zi)KE(
z&A%XmDBpvRpU8Az)_BVublis;Z=FZHuQ{&XL40rgK=YOF=dt0^U2mc{Ux}+Z
ze}1b%++Fy6?>si&qn(KFdk111H}bg=aqkA?ZyVva^U66!*$K4xxc1O@g5w+{cd9((
zuX5xCI~Zb(p%-}+h}NKVJ)+N`Dp16q*e;$zdrBSzt}TU=roo8k`XOFo1oe?W7{YD+
zsGi5E=#QvLMB@iM
zG80ixG<4~fLK1&VL_HQW_c7W&kF$^PDlm_Wd+!kf2vp}8AMo3ST1q-t0*4qxCmHU-
zL4HH^;wXm5a0WfNNZBO%xa%adehTlP-w*Zzv(ih}O<1Vru2z(}7Nf06*l-wT9WKDd
z41I0F2(FX;C@s|E24;PtoRBDzfjL?Uax;qP0(K&%phiK5f_4S(GE;oAQ}7IJg5m`N
zul$Dwut3Hu0x769OpEU=rF0)>Ui^`U$>j`swGW)}0}6^e5`v21{iV*>>B9wT9;2Sc
p{pQb5z5Wm@`lFUnen43TZsJ3}V_f}+|IhFRXDUZu;%j`1#NPp+gT4R&
literal 0
HcmV?d00001
diff --git a/target/classes/com/example/web/FileController.class b/target/classes/com/example/web/FileController.class
new file mode 100644
index 0000000000000000000000000000000000000000..df91d0ecfedb5a17d358c12164670e9949c549ad
GIT binary patch
literal 3668
zcmb_eYkM0<89ifJUPWEoi4vy~rKwWl#7<%>F)b}taT_bn1#H)~9J|hibS;f-#Vf74
zTEz~RQf@5;+O$ARDc5id&;V%xyTs1}-}t~k;V1As&~RpUSC(Q^zVN}b^2~dibI!ao
ze}Dh>UjRIUKgZF6h=EoUQM3tczieHx(zaDzNIyAuS>`=~w#SO)qBkTE>FJ#|5EC%9
zQPD}CEZQ=`IB^sAz!bQ*WG%_8Q_fr7Own89uc~L2y{f>0p3#lSInOPY7c#w@r{XZs
zp-Sl#=-SFDW!1$OmpQBnc|@i;z=`wi?h@qj9AX9z$;YyqR9GTCL7WS@x#@ezV2
zSBg~y0Kq$#Al7jM2ME;NU<}uac0syvbSpM`1$KuihHLZl(v^itY0<#IVS!}0cBWjZ
z1zQW3`@-M>Jq;#t96?%vdsJXY0B&HF>79<_5C+uhM+Nq5tTy;-qaHl0j6OyXHjMn_
z!TO^nKCbYM5%I!ku`Jc5GA16wCy0ktsmO9cpl>U7HwhwuB@@Hr0)jO3;JArlrPOHN
zcB<0AiI5I0+Nnj?S+?eECe7lciBmW&&~6n9xmu;-%4$_IceuS~4_$sYK561px_r;^
zb!uR&DaFW2URJ!KQ&v)Z(!_+)VMMwlZxoXza>_eSag8yZwZH=sQ35hBZDIybvmCBX
zSgtI4>ikf{q3l93l<_$e=e2-JONF9aHE>ZN5%RA5X56Bu1akptH9TX&Qqqhrt9dnZ
zJb_lk6C{h-=doa5(L@oKN&bfVCTnG{SYi>X;QBvZVMQ9DU^^L(g7
zqpIFh?_bRgfL^WhS~eYZ3l)L$MxMK-s@Nbl?K3<`JVneBG)K*DUCyc=6}fCFJ+$XM
zE59^mRrIC|yxQDrbq5#Nrq$-}U@IAHsw2~Tj+@k8+~lsNE%=IN868Sj?8;fERI*gF
zU}x15;yG-H80v}v+49*51@5U;rCWE4=bW0GmwtIW)n`K&{pt*GPs5JmRXx|Lj7e|N
zDO5Y#@S`|>jGq{|u5PuT3hduFF2(W{XGy00#=u~_=uTRB&vCB`yxDjR0z*IOX>P)n
z)%~N6vs9~O8n)mEYMg0uoVr?(jf;W#`GyGoE!}jN1|hPRZRgkv*gStuOq(Sg!!N04
z)wg*QrxfjjDG|f3c=0HlQUym=Q)S0X>HABs{f4?3ab3qvDUCL{-DE87rii5kwf*nv
z_G-4t{uU{%E~fhOD(AZb_XU(On=4>qNCd{(dz%e*6`3^YqE6}kIW86|As_gGP;Vv
z#1My>8+ZPpR-U+lD`A{(a&R+)_|QRDCdyCSBQI*9*^Ryc!3pk5W*MnHL@^>vv`TV5&G@GH}Fl()%5^k
z0*aS4XRol9lZgEb0|fftc)&onfu7_k1KB%7yUoC|foojz7dQ>UA@)zS++o5Ne_hRu
zlDOCKEslz~8D>_*Ei@4~PVmmIVs>U77iRm`@M%Q@alE8}o~uL7UrmscSUQsKyav1V
z<~ZT!4B;>6naEA1OA)w!)^`*S6A%Ue6hRo}ih{kLy$O71b?{xanBZA{2(z?3PtPen!!FX}5>b1G
zN5`rQ{8(M!y>)@N)9(#@m)LeO>YG~N3k?Eask5U+eL0J^ogYzt`hC_yhgo^!X!cdJoC}0C=Z+
AZ2$lO
literal 0
HcmV?d00001
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
new file mode 100644
index 0000000..488a809
--- /dev/null
+++ b/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
@@ -0,0 +1,4 @@
+com/example/database/UserDatabase.class
+com/example/web/FileController.class
+com/example/security/CryptoUtils.class
+com/example/app/VulnerableApplication.class
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
new file mode 100644
index 0000000..148255b
--- /dev/null
+++ b/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
@@ -0,0 +1,4 @@
+/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/security/CryptoUtils.java
+/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/app/VulnerableApplication.java
+/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/database/UserDatabase.java
+/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/web/FileController.java
diff --git a/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst b/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst
new file mode 100644
index 0000000..4826c14
--- /dev/null
+++ b/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst
@@ -0,0 +1 @@
+com/example/VulnerableApplicationTest.class
diff --git a/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst b/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst
new file mode 100644
index 0000000..9eff2fe
--- /dev/null
+++ b/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst
@@ -0,0 +1 @@
+/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/test/java/com/example/VulnerableApplicationTest.java
diff --git a/target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml b/target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml
new file mode 100644
index 0000000..c21d399
--- /dev/null
+++ b/target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml
@@ -0,0 +1,59 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/target/surefire-reports/com.example.VulnerableApplicationTest.txt b/target/surefire-reports/com.example.VulnerableApplicationTest.txt
new file mode 100644
index 0000000..49451dc
--- /dev/null
+++ b/target/surefire-reports/com.example.VulnerableApplicationTest.txt
@@ -0,0 +1,4 @@
+-------------------------------------------------------------------------------
+Test set: com.example.VulnerableApplicationTest
+-------------------------------------------------------------------------------
+Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.059 s - in com.example.VulnerableApplicationTest
diff --git a/target/test-classes/com/example/VulnerableApplicationTest.class b/target/test-classes/com/example/VulnerableApplicationTest.class
new file mode 100644
index 0000000000000000000000000000000000000000..623b0df36d801e14b705bd838a577bcf06542ed9
GIT binary patch
literal 1938
zcma)7TXWM!7(Ht{k*bO~D3BWoI0+I{P$ZAE;__$u
z)S15Yr7wXgGyMVmQKjEXiY*gohCIm9Ud}n+`Oa?s{qOI809?m24FwbxlyrYCUKhRgRo=n$HZrDMTAH6r|jfqClEWa
z=P|5Rt%1f}5xRb7GdGf|-jqtG7%F+C5qILy6>rT(__im47sB--4Tcmt&9Imo9i`L2
ztd2R%lcEmyc}VK_f|uN9I8&|V1Z0v_EHKO^D{^Q@JKHMGGt3T6ckNfa;&Hztx*952
zQn0LJ1s8{!lA=>n(uGM=9!e8eb*!Pvprv;0g)wKC9^uum(wcQ@Ox~K;yk*{VJ>Cd>
z5eA;eLk%@)%va>$@InSe52!AT%n1s9d(~(6AY^(B#pH1
z8pF&3+Iqz22SVn?rx2*PPUht&6Ym@n&wZibdxlH->YA}98`kppR}nHpdn*V>omTap*@)
z+mo>_$w*PucY`=|xFn@GpV;Kf^18qhZqQ99|HeS2VVs^n(3eTSOpdO<1N)0!3fQEl
zoCY1MoAlJv1^5xS=!@Yt%@&f)kLg!}mOnuG7ZCoZFyRV{zjU7k-0M
z`U9ondt8zNib);w1Ov>FfLRhSPZG}2CANTdEGA+qDRf`V3hv?_iI}4G_wj(JAJYCB
z3Lmj5|4-adU?_AuF?xKIEQ6r}4Sib0qka`Rt7=q5-7+>tS+zt;mr3c$306IZbm
zKFRNyRcl99)s4%C_
Date: Mon, 29 Sep 2025 17:57:03 +0000
Subject: [PATCH 03/14] Complete Java application with vulnerabilities and
enhanced CodeQL workflow
Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
---
.github/workflows/codeql-analysis.yml | 6 +-
.gitignore | 46 ++++++++++
README.md | 57 +++++++++++-
pom.xml | 4 +
.../example/app/VulnerableApplication.java | 12 +++
.../com/example/database/UserDatabase.java | 20 +++++
src/main/java/com/example/ldap/LdapAuth.java | 82 ++++++++++++++++++
.../java/com/example/web/FileController.java | 22 +++++
.../example/app/VulnerableApplication.class | Bin 1953 -> 0 bytes
.../com/example/database/UserDatabase.class | Bin 2886 -> 0 bytes
.../com/example/security/CryptoUtils.class | Bin 2728 -> 0 bytes
.../com/example/web/FileController.class | Bin 3668 -> 0 bytes
.../compile/default-compile/createdFiles.lst | 4 -
.../compile/default-compile/inputFiles.lst | 4 -
.../default-testCompile/createdFiles.lst | 1 -
.../default-testCompile/inputFiles.lst | 1 -
...-com.example.VulnerableApplicationTest.xml | 59 -------------
.../com.example.VulnerableApplicationTest.txt | 4 -
.../example/VulnerableApplicationTest.class | Bin 1938 -> 0 bytes
19 files changed, 245 insertions(+), 77 deletions(-)
create mode 100644 .gitignore
create mode 100644 src/main/java/com/example/ldap/LdapAuth.java
delete mode 100644 target/classes/com/example/app/VulnerableApplication.class
delete mode 100644 target/classes/com/example/database/UserDatabase.class
delete mode 100644 target/classes/com/example/security/CryptoUtils.class
delete mode 100644 target/classes/com/example/web/FileController.class
delete mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
delete mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
delete mode 100644 target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst
delete mode 100644 target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst
delete mode 100644 target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml
delete mode 100644 target/surefire-reports/com.example.VulnerableApplicationTest.txt
delete mode 100644 target/test-classes/com/example/VulnerableApplicationTest.class
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 26abf65..7121046 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -33,7 +33,7 @@ jobs:
distribution: 'temurin'
- name: Initialize CodeQL
- uses: github/codeql-action/init@v2
+ uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
@@ -41,9 +41,9 @@ jobs:
# Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
# If this step fails, remove it and run the build manually instead
- name: Autobuild
- uses: github/codeql-action/autobuild@v2
+ uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
+ uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7974262
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,46 @@
+# Maven
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar
+
+# Compiled class files
+*.class
+
+# Log files
+*.log
+
+# IDE files
+.idea/
+*.iws
+*.iml
+*.ipr
+.vscode/
+.settings/
+.project
+.classpath
+
+# OS generated files
+.DS_Store
+Thumbs.db
+
+# Temporary files
+*.tmp
+*.bak
+*.swp
+*~.nib
+
+# Package files
+*.jar
+*.war
+*.nar
+*.ear
+*.zip
+*.tar.gz
+*.rar
\ No newline at end of file
diff --git a/README.md b/README.md
index 3b81e20..a07e3e1 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,56 @@
-# coding-agent-example-java-codeql-autobuild
\ No newline at end of file
+# coding-agent-example-java-codeql-autobuild
+
+A demonstration Java application with intentional security vulnerabilities for CodeQL scanning.
+
+## Overview
+
+This repository contains a simple Java application built with Maven that includes several common security vulnerabilities designed to be detected by GitHub's CodeQL static analysis tool.
+
+## Application Structure
+
+- **Main Application**: `com.example.app.VulnerableApplication` - Entry point that demonstrates various vulnerabilities
+- **Database Layer**: `com.example.database.UserDatabase` - Contains SQL injection vulnerabilities
+- **Security Utils**: `com.example.security.CryptoUtils` - Contains weak cryptographic implementations
+- **Web/File Handling**: `com.example.web.FileController` - Contains path traversal and command injection vulnerabilities
+- **LDAP Authentication**: `com.example.ldap.LdapAuth` - Contains LDAP injection vulnerabilities
+
+## Intentional Vulnerabilities
+
+This application contains the following types of security vulnerabilities:
+
+1. **SQL Injection** - Direct string concatenation in SQL queries
+2. **Command Injection** - Unsanitized user input passed to system commands
+3. **Path Traversal** - File operations without path validation
+4. **LDAP Injection** - Unescaped user input in LDAP filters
+5. **Weak Cryptography** - Use of MD5 and weak random number generation
+6. **Hard-coded Secrets** - Embedded credentials and encryption keys
+
+## CodeQL Analysis
+
+The repository includes a GitHub Actions workflow (`.github/workflows/codeql-analysis.yml`) that:
+
+- Runs CodeQL analysis on push and pull requests
+- Uses the autobuild functionality for Java
+- Includes security-and-quality queries for comprehensive coverage
+- Runs weekly scheduled scans
+
+## Building and Running
+
+```bash
+# Compile the application
+mvn clean compile
+
+# Run tests
+mvn test
+
+# Run the application (demonstrates vulnerabilities)
+mvn exec:java -Dexec.mainClass="com.example.app.VulnerableApplication"
+```
+
+## Warning
+
+⚠️ **This application contains intentional security vulnerabilities and should never be deployed in a production environment.** It is designed solely for educational purposes and CodeQL demonstration.
+
+## License
+
+This project is for educational and demonstration purposes only.
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index aa21bec..d0d637c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,6 +20,10 @@
+
+
mysql
diff --git a/src/main/java/com/example/app/VulnerableApplication.java b/src/main/java/com/example/app/VulnerableApplication.java
index 0de280f..f2570d0 100644
--- a/src/main/java/com/example/app/VulnerableApplication.java
+++ b/src/main/java/com/example/app/VulnerableApplication.java
@@ -3,6 +3,7 @@
import com.example.database.UserDatabase;
import com.example.security.CryptoUtils;
import com.example.web.FileController;
+import com.example.ldap.LdapAuth;
/**
* Main application class demonstrating various Java vulnerabilities
@@ -17,6 +18,7 @@ public static void main(String[] args) {
UserDatabase userDb = new UserDatabase();
CryptoUtils crypto = new CryptoUtils();
FileController fileController = new FileController();
+ LdapAuth ldapAuth = new LdapAuth();
// Example usage that would trigger vulnerabilities
String userInput = args.length > 0 ? args[0] : "admin";
@@ -24,6 +26,7 @@ public static void main(String[] args) {
// SQL Injection vulnerability
userDb.authenticateUser(userInput, password);
+ userDb.deleteUser(userInput);
// Weak cryptography
String token = crypto.generateToken();
@@ -33,6 +36,15 @@ public static void main(String[] args) {
String filename = args.length > 2 ? args[2] : "../../etc/passwd";
fileController.readFile(filename);
+ // Command injection
+ String command = args.length > 3 ? args[3] : "ls -la";
+ fileController.executeCommand(command);
+ fileController.executeSystemCommand(command);
+
+ // LDAP injection
+ ldapAuth.authenticateUser(userInput, password);
+ ldapAuth.getUserInfo(userInput);
+
System.out.println("Application completed.");
}
}
\ No newline at end of file
diff --git a/src/main/java/com/example/database/UserDatabase.java b/src/main/java/com/example/database/UserDatabase.java
index 7e7c216..a111788 100644
--- a/src/main/java/com/example/database/UserDatabase.java
+++ b/src/main/java/com/example/database/UserDatabase.java
@@ -67,4 +67,24 @@ public void updateUserProfile(String userId, String email, String fullName) {
System.err.println("Update failed: " + e.getMessage());
}
}
+
+ /**
+ * VULNERABLE: Dynamic query construction - another SQL injection pattern
+ */
+ public void deleteUser(String userIdParam) {
+ try {
+ Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD);
+ Statement stmt = conn.createStatement();
+
+ // VULNERABILITY: Direct concatenation in DELETE statement
+ String sql = "DELETE FROM users WHERE id = " + userIdParam;
+ stmt.executeUpdate(sql);
+
+ stmt.close();
+ conn.close();
+
+ } catch (Exception e) {
+ System.err.println("Delete failed: " + e.getMessage());
+ }
+ }
}
\ No newline at end of file
diff --git a/src/main/java/com/example/ldap/LdapAuth.java b/src/main/java/com/example/ldap/LdapAuth.java
new file mode 100644
index 0000000..1acfa4d
--- /dev/null
+++ b/src/main/java/com/example/ldap/LdapAuth.java
@@ -0,0 +1,82 @@
+package com.example.ldap;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import javax.naming.directory.SearchResult;
+import java.util.Hashtable;
+
+/**
+ * LDAP authentication with intentional LDAP injection vulnerability
+ * to demonstrate CodeQL detection capabilities.
+ */
+public class LdapAuth {
+
+ private static final String LDAP_URL = "ldap://localhost:389";
+ private static final String BASE_DN = "dc=example,dc=com";
+
+ /**
+ * VULNERABLE: LDAP injection vulnerability - user input directly concatenated
+ * This should trigger a high/critical CodeQL alert
+ */
+ public boolean authenticateUser(String username, String password) {
+ try {
+ Hashtable env = new Hashtable<>();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL, LDAP_URL);
+
+ DirContext ctx = new InitialDirContext(env);
+
+ // VULNERABILITY: Direct concatenation allows LDAP injection
+ String filter = "(&(uid=" + username + ")(userPassword=" + password + "))";
+
+ System.out.println("LDAP filter: " + filter);
+
+ NamingEnumeration results = ctx.search(BASE_DN, filter, null);
+ boolean authenticated = results.hasMore();
+
+ results.close();
+ ctx.close();
+
+ return authenticated;
+
+ } catch (Exception e) {
+ System.err.println("LDAP authentication failed: " + e.getMessage());
+ return false;
+ }
+ }
+
+ /**
+ * VULNERABLE: Another LDAP injection pattern
+ */
+ public String getUserInfo(String userId) {
+ try {
+ Hashtable env = new Hashtable<>();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL, LDAP_URL);
+
+ DirContext ctx = new InitialDirContext(env);
+
+ // VULNERABILITY: LDAP injection in search filter
+ String searchFilter = "(uid=" + userId + ")";
+ NamingEnumeration results = ctx.search(BASE_DN, searchFilter, null);
+
+ if (results.hasMore()) {
+ SearchResult result = results.next();
+ Attributes attrs = result.getAttributes();
+ return attrs.toString();
+ }
+
+ results.close();
+ ctx.close();
+
+ } catch (Exception e) {
+ System.err.println("LDAP search failed: " + e.getMessage());
+ }
+
+ return null;
+ }
+}
\ No newline at end of file
diff --git a/src/main/java/com/example/web/FileController.java b/src/main/java/com/example/web/FileController.java
index 2938743..23853f4 100644
--- a/src/main/java/com/example/web/FileController.java
+++ b/src/main/java/com/example/web/FileController.java
@@ -97,4 +97,26 @@ public String executeCommand(String userCommand) {
return null;
}
}
+
+ /**
+ * VULNERABLE: Another command injection pattern using ProcessBuilder
+ */
+ public String executeSystemCommand(String cmd) {
+ try {
+ // VULNERABILITY: ProcessBuilder with unsanitized input
+ ProcessBuilder pb = new ProcessBuilder("/bin/sh", "-c", cmd);
+ Process process = pb.start();
+
+ BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
+ StringBuilder result = new StringBuilder();
+ String line;
+ while ((line = reader.readLine()) != null) {
+ result.append(line).append("\n");
+ }
+
+ return result.toString();
+ } catch (Exception e) {
+ return "Error: " + e.getMessage();
+ }
+ }
}
\ No newline at end of file
diff --git a/target/classes/com/example/app/VulnerableApplication.class b/target/classes/com/example/app/VulnerableApplication.class
deleted file mode 100644
index 3be2df5332ec19f12483b5a1519041ebc079724a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1953
zcma)7Yf~Fl7=8}9Y)HeUpvH;bM!IIoTXxo6YXd?nx{9
zNBra`XZ&nG(3vvB5AZi>$M17#H**i6it$HTBI~y2@IKz
z{@62ZS(TpP%~Arx4D(gVJ!#s<*@Kp43y;?Plx{nwFo$loEZ9VYXZJrKstfrX|XbEj`DwgqOq&A_=_D5aacx
zX(uqpaLMJq|I+d5H`i_{r`J+gz#?JDTk=HMQl&3cWDH9o35BHiOa-)*!ZLCUL&rja
zDaD@C5CqDV4hZsvhr|1g>oqmNh
z^dP^w%Kc^vYsy7}s$N&nB=8}_L|2g&)>INH>IDtA85X+%<*uv0<3^VjL$vJF1;a?i
zw8d_#Srgu#;txZ*;uzdI;GU`OosUs@Vp2X!mH%bEMCO~^B+Iy
z$TKxcOVO&vaIME*DC@{q+z6OO4bdYWMm&-p{-K9q#MU0Ieh!k(pbBW)c2z^B`xB!2
z{7Xq9s%+CHq5RmqNstavqZ*AJ?gnUT*y-)}pwAeRRj1_{LRFbzI<#yB)xV^C&vB$L
zJ?`!ZdE(UlkvN_tQN^ByeML$Fc;VgrG3^%=lHTs;HcvOXAsz3O;g@cPb_Cl-A8@;F
z34fvDIE|KD>d(6COON8-sVhRnyDQzEh^6jU=$I&T%c`1E(1iP%u-@vlVm%w6TFf$r
z)V59iS+-~h2w%eyalS9tuoN_WOY`QxMTt!9d@+ZQXrQZ~0Z>s9r}YlqblMs1vHWYW
zKZ56vX;sglQT_?7skQ)$DA8>Y>-dzukTQFS2#tN<=U33uLuVK{$N1CNn5>**iuUQ9
zbIj0wbvJ+UD+cqCwcim-&laQki|B83j|TT_F}9M4W@2ZUKfG~<>%}-(%f#Ox50J_H
zMNG-Y0@*@QTg_-^_~1}^yhYC{m({!6530*)bz3CeI1pJ5sga230l
z#SvlAz&t#fvOi%lNbyNK4csM3kah!~V}p{Mf`NM|6J}Y`yN@r(myQZHv4tqfu9MX*
zLUR|Z*rrpQG)M7}P8z->OF6{fVnxHahA9m*8yYHqVTe|B`Wrb~I~Ov%O9}&cgvYce
V$oW_FcZjESOVa5XzQK3M`~xSi1VaD-
diff --git a/target/classes/com/example/database/UserDatabase.class b/target/classes/com/example/database/UserDatabase.class
deleted file mode 100644
index 833b10ffa377b92bb2fc5eb216a1e220af50a496..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 2886
zcmb7GTU!%X6kP|BObnq&6cx2PqTIpQ+M*^}DRY@U1t(PtbCTfoH>_$_FjAK%b7p^-uWHC75o%I0~$31q6i`+
zaCqH#WW+6_xEh~XUY9vfAavaE(%Qbr1u=idX8CK
zO&(;Yw<4r0?5RsO;TVo@9ucC4pPU2Q)ZBjKl`
zcpYa1ju(s#Ni8|UTQt2j&RowZdal6L19?z2;K!-z<{{`fr=cT?^SJOrAhTO8p)r1T
zndsUou9|jymh^bMEsX-f33MrN-TdwYVIPAL^rBBge-r~4+-2uQwE|j68L=3ew*9m&
zG$D>l8s3QFOdIGFSHG-LiDH1bX&Uv=_gObjy~Pl^(lnfhDO|0)ZY=fy^nAIBY*34EAUfMOk;*+
zQe|+y#A+p&ePb~hLjYZ@_wmuC`AnLGy=_|4dIFlJC
zv14|g$1Q2ID5uMXW$DZr%NBQHY1If8498UK>Sn-OGnxG7)Bo97l1y!*?5(lVOjeIn
zT}Pn%K)m(dBd#3VMXd_{Rq#A^y#n*$=w3e65|NgJ4=X9y;1Fz`Of8`((_D`(FCb`C
zD9-EHtfdd-!)1C=jedckMu)*4e7Ihu#H7sG_f0
zMtduQl+D8(}+GQsvCw!Bw3czk>zo;sdF&Jgfc0I=^O-XOf&buuk
zcoCHGNW){5%$oui_FA!7d}MFPcm+$P?@bsv&sO#PbG=7Z!HUvbMlo+m_d?pXH_D|~
zH}V%Q&TWWjBh
znUp_Qfzxm3-J)9`nI6}7->=G67@soVQ-1g2OQieRlh8#Np9{3^GODv}*p9#brNHp~
z?D)uBMY*eIQ**i>or=N%U4>|=&gdSJB{NSU>i(M1sT8`t!nn#jRkMjs@|ASPEIzQ(
z)$pA_=S$()k97?{2%LGfD0@aFL^ubHEe-5wCvg`UJ}OzR8gPi~xw>@|*YkDjX5L^T
zBE)flH{$#XeuI6#LOk_VEOJ!GKosx!qc4E>agQs3`*^^SmqjO)g}EnVhhj~!=HJjV
zJ-CfFfkdExU1P-je2(!Q-14tBKJg)C=;tuaDv(2H=6C`T{x!sKn)c43htI@ibl^HJ@U7^?
zZFFIlyIJ&+mwx2KH=uwE$hkefj3VY4-GzwME(KA6#klBm}MAbK~PsEqM}(8T}43!MCD=tchv}D47oV$w!0&{Gn<(~As2Jg
z+>?hq$Tt^mL6g+h&UBwXea?5jb58gC`q!f;0FK~0
z6%~jmh-#=rl|cNOeqB!$bu*tjH+4;BU4g1z!!+DJfk?7#LP1Pm1hdP0ltW`?MS-n&)%9JCsGq&N*r3UP|vTI#*jiN&bwr=LEl0ZY+
zH#|de>VhxpQBjWu1?x35qG=J{3Izehl(X)LNubf>NZW{qVWWmkNYJoeE=w~fur)c*
z7TES9TLqdf6l~G370m)M*9sN|8k1|cPyDt2MFf|or6F8cyIO30jVvS(ABb6R>Ly%h^Tdo0!M7
zkUdcS8U`>(7e#62-Ga}opYhXP#$OTG_u^QelX(Rr0_&IY49#X`*)=S)nrS|xA&m@O
zNSg?o0zih9I?sZ4303MP5;cr-8qRyAqmq&^4-IUs3mV2S&R!|$({jKvv$}i9a0?uH
zd2vbH?*E0AJ|=KU!D|{WDAF%>e?n^c!L$4nH!T?Te@fD+`*1R
zhdaBD96jbWScF*|uyU-Gy0l@+voobBX^-nuMM@gdR#q=g=(gd_Lt)e{cy+xa{a?-9
zBT$={rnGfej$6}`0M($|2MRiA6-Pmm>u^yL8N~CMO9e#-v2qAQ!3=wf)iPveyRkK1uN&&RpDb5pWsskx4go;Ezr7L*M@nW^rixoK`oxvv#w>+
z>kljIB~%QI4)X*qN~bk#S<^G+o;8_SDOt5~e6B24E(U&kCRbPp?v}-4$mc3FF`yTV
zV}>hxV)&eg#W0EH1=Dg>Cl|Ty7Qvj3m@KG)BI%Tlg0BR2tqJvc5h(aZ;H7_8<Wl(1>O#o02Nm_)&d3SnBq(zi)KE(
z&A%XmDBpvRpU8Az)_BVublis;Z=FZHuQ{&XL40rgK=YOF=dt0^U2mc{Ux}+Z
ze}1b%++Fy6?>si&qn(KFdk111H}bg=aqkA?ZyVva^U66!*$K4xxc1O@g5w+{cd9((
zuX5xCI~Zb(p%-}+h}NKVJ)+N`Dp16q*e;$zdrBSzt}TU=roo8k`XOFo1oe?W7{YD+
zsGi5E=#QvLMB@iM
zG80ixG<4~fLK1&VL_HQW_c7W&kF$^PDlm_Wd+!kf2vp}8AMo3ST1q-t0*4qxCmHU-
zL4HH^;wXm5a0WfNNZBO%xa%adehTlP-w*Zzv(ih}O<1Vru2z(}7Nf06*l-wT9WKDd
z41I0F2(FX;C@s|E24;PtoRBDzfjL?Uax;qP0(K&%phiK5f_4S(GE;oAQ}7IJg5m`N
zul$Dwut3Hu0x769OpEU=rF0)>Ui^`U$>j`swGW)}0}6^e5`v21{iV*>>B9wT9;2Sc
p{pQb5z5Wm@`lFUnen43TZsJ3}V_f}+|IhFRXDUZu;%j`1#NPp+gT4R&
diff --git a/target/classes/com/example/web/FileController.class b/target/classes/com/example/web/FileController.class
deleted file mode 100644
index df91d0ecfedb5a17d358c12164670e9949c549ad..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 3668
zcmb_eYkM0<89ifJUPWEoi4vy~rKwWl#7<%>F)b}taT_bn1#H)~9J|hibS;f-#Vf74
zTEz~RQf@5;+O$ARDc5id&;V%xyTs1}-}t~k;V1As&~RpUSC(Q^zVN}b^2~dibI!ao
ze}Dh>UjRIUKgZF6h=EoUQM3tczieHx(zaDzNIyAuS>`=~w#SO)qBkTE>FJ#|5EC%9
zQPD}CEZQ=`IB^sAz!bQ*WG%_8Q_fr7Own89uc~L2y{f>0p3#lSInOPY7c#w@r{XZs
zp-Sl#=-SFDW!1$OmpQBnc|@i;z=`wi?h@qj9AX9z$;YyqR9GTCL7WS@x#@ezV2
zSBg~y0Kq$#Al7jM2ME;NU<}uac0syvbSpM`1$KuihHLZl(v^itY0<#IVS!}0cBWjZ
z1zQW3`@-M>Jq;#t96?%vdsJXY0B&HF>79<_5C+uhM+Nq5tTy;-qaHl0j6OyXHjMn_
z!TO^nKCbYM5%I!ku`Jc5GA16wCy0ktsmO9cpl>U7HwhwuB@@Hr0)jO3;JArlrPOHN
zcB<0AiI5I0+Nnj?S+?eECe7lciBmW&&~6n9xmu;-%4$_IceuS~4_$sYK561px_r;^
zb!uR&DaFW2URJ!KQ&v)Z(!_+)VMMwlZxoXza>_eSag8yZwZH=sQ35hBZDIybvmCBX
zSgtI4>ikf{q3l93l<_$e=e2-JONF9aHE>ZN5%RA5X56Bu1akptH9TX&Qqqhrt9dnZ
zJb_lk6C{h-=doa5(L@oKN&bfVCTnG{SYi>X;QBvZVMQ9DU^^L(g7
zqpIFh?_bRgfL^WhS~eYZ3l)L$MxMK-s@Nbl?K3<`JVneBG)K*DUCyc=6}fCFJ+$XM
zE59^mRrIC|yxQDrbq5#Nrq$-}U@IAHsw2~Tj+@k8+~lsNE%=IN868Sj?8;fERI*gF
zU}x15;yG-H80v}v+49*51@5U;rCWE4=bW0GmwtIW)n`K&{pt*GPs5JmRXx|Lj7e|N
zDO5Y#@S`|>jGq{|u5PuT3hduFF2(W{XGy00#=u~_=uTRB&vCB`yxDjR0z*IOX>P)n
z)%~N6vs9~O8n)mEYMg0uoVr?(jf;W#`GyGoE!}jN1|hPRZRgkv*gStuOq(Sg!!N04
z)wg*QrxfjjDG|f3c=0HlQUym=Q)S0X>HABs{f4?3ab3qvDUCL{-DE87rii5kwf*nv
z_G-4t{uU{%E~fhOD(AZb_XU(On=4>qNCd{(dz%e*6`3^YqE6}kIW86|As_gGP;Vv
z#1My>8+ZPpR-U+lD`A{(a&R+)_|QRDCdyCSBQI*9*^Ryc!3pk5W*MnHL@^>vv`TV5&G@GH}Fl()%5^k
z0*aS4XRol9lZgEb0|fftc)&onfu7_k1KB%7yUoC|foojz7dQ>UA@)zS++o5Ne_hRu
zlDOCKEslz~8D>_*Ei@4~PVmmIVs>U77iRm`@M%Q@alE8}o~uL7UrmscSUQsKyav1V
z<~ZT!4B;>6naEA1OA)w!)^`*S6A%Ue6hRo}ih{kLy$O71b?{xanBZA{2(z?3PtPen!!FX}5>b1G
zN5`rQ{8(M!y>)@N)9(#@m)LeO>YG~N3k?Eask5U+eL0J^ogYzt`hC_yhgo^!X!cdJoC}0C=Z+
AZ2$lO
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
deleted file mode 100644
index 488a809..0000000
--- a/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
+++ /dev/null
@@ -1,4 +0,0 @@
-com/example/database/UserDatabase.class
-com/example/web/FileController.class
-com/example/security/CryptoUtils.class
-com/example/app/VulnerableApplication.class
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
deleted file mode 100644
index 148255b..0000000
--- a/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
+++ /dev/null
@@ -1,4 +0,0 @@
-/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/security/CryptoUtils.java
-/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/app/VulnerableApplication.java
-/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/database/UserDatabase.java
-/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/main/java/com/example/web/FileController.java
diff --git a/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst b/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst
deleted file mode 100644
index 4826c14..0000000
--- a/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst
+++ /dev/null
@@ -1 +0,0 @@
-com/example/VulnerableApplicationTest.class
diff --git a/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst b/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst
deleted file mode 100644
index 9eff2fe..0000000
--- a/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst
+++ /dev/null
@@ -1 +0,0 @@
-/home/runner/work/coding-agent-example-java-codeql-autobuild/coding-agent-example-java-codeql-autobuild/src/test/java/com/example/VulnerableApplicationTest.java
diff --git a/target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml b/target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml
deleted file mode 100644
index c21d399..0000000
--- a/target/surefire-reports/TEST-com.example.VulnerableApplicationTest.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/target/surefire-reports/com.example.VulnerableApplicationTest.txt b/target/surefire-reports/com.example.VulnerableApplicationTest.txt
deleted file mode 100644
index 49451dc..0000000
--- a/target/surefire-reports/com.example.VulnerableApplicationTest.txt
+++ /dev/null
@@ -1,4 +0,0 @@
--------------------------------------------------------------------------------
-Test set: com.example.VulnerableApplicationTest
--------------------------------------------------------------------------------
-Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.059 s - in com.example.VulnerableApplicationTest
diff --git a/target/test-classes/com/example/VulnerableApplicationTest.class b/target/test-classes/com/example/VulnerableApplicationTest.class
deleted file mode 100644
index 623b0df36d801e14b705bd838a577bcf06542ed9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1938
zcma)7TXWM!7(Ht{k*bO~D3BWoI0+I{P$ZAE;__$u
z)S15Yr7wXgGyMVmQKjEXiY*gohCIm9Ud}n+`Oa?s{qOI809?m24FwbxlyrYCUKhRgRo=n$HZrDMTAH6r|jfqClEWa
z=P|5Rt%1f}5xRb7GdGf|-jqtG7%F+C5qILy6>rT(__im47sB--4Tcmt&9Imo9i`L2
ztd2R%lcEmyc}VK_f|uN9I8&|V1Z0v_EHKO^D{^Q@JKHMGGt3T6ckNfa;&Hztx*952
zQn0LJ1s8{!lA=>n(uGM=9!e8eb*!Pvprv;0g)wKC9^uum(wcQ@Ox~K;yk*{VJ>Cd>
z5eA;eLk%@)%va>$@InSe52!AT%n1s9d(~(6AY^(B#pH1
z8pF&3+Iqz22SVn?rx2*PPUht&6Ym@n&wZibdxlH->YA}98`kppR}nHpdn*V>omTap*@)
z+mo>_$w*PucY`=|xFn@GpV;Kf^18qhZqQ99|HeS2VVs^n(3eTSOpdO<1N)0!3fQEl
zoCY1MoAlJv1^5xS=!@Yt%@&f)kLg!}mOnuG7ZCoZFyRV{zjU7k-0M
z`U9ondt8zNib);w1Ov>FfLRhSPZG}2CANTdEGA+qDRf`V3hv?_iI}4G_wj(JAJYCB
z3Lmj5|4-adU?_AuF?xKIEQ6r}4Sib0qka`Rt7=q5-7+>tS+zt;mr3c$306IZbm
zKFRNyRcl99)s4%C_
Date: Mon, 29 Sep 2025 13:05:31 -0500
Subject: [PATCH 04/14] Add build-mode option to CodeQL analysis workflow
---
.github/workflows/codeql-analysis.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7121046..557067f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -37,6 +37,7 @@ jobs:
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
+ build-mode: autobuild
# Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
# If this step fails, remove it and run the build manually instead
@@ -46,4 +47,4 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
- category: "/language:${{matrix.language}}"
\ No newline at end of file
+ category: "/language:${{matrix.language}}"
From 66dab75c6b894a68ed786840cf9b199cb14f8404 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:11:06 -0500
Subject: [PATCH 05/14] Enable dependency caching in CodeQL analysis
---
.github/workflows/codeql-analysis.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 557067f..865c62e 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -38,6 +38,7 @@ jobs:
languages: ${{ matrix.language }}
queries: +security-and-quality
build-mode: autobuild
+ dependency-caching: true
# Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
# If this step fails, remove it and run the build manually instead
From 5e73a073439d8e3187062722a98695f0590a96d6 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:16:11 -0500
Subject: [PATCH 06/14] Fix header formatting in README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index a07e3e1..ee621d5 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# coding-agent-example-java-codeql-autobuild
+# coding-agent-example-java-codeql-autobuild
A demonstration Java application with intentional security vulnerabilities for CodeQL scanning.
@@ -53,4 +53,4 @@ mvn exec:java -Dexec.mainClass="com.example.app.VulnerableApplication"
## License
-This project is for educational and demonstration purposes only.
\ No newline at end of file
+This project is for educational and demonstration purposes only.
From a229811ca43d8a12b93101816a0b08bf5a179b18 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:21:15 -0500
Subject: [PATCH 07/14] Update application name for testing purposes
---
pom.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index d0d637c..66a1059 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,7 +10,7 @@
1.0.0
jar
- Vulnerable Java Application
+ Vulnerable Java Application - Test
A simple Java application with intentional vulnerabilities for CodeQL scanning demonstration
@@ -73,4 +73,4 @@
-
\ No newline at end of file
+
From 37090d9bedc77c379091cf580a1fb24817667514 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:29:01 -0500
Subject: [PATCH 08/14] Add commons-lang3 dependency
Added commons-lang3 dependency version 3.12.0.
---
pom.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pom.xml b/pom.xml
index 66a1059..32ca398 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,6 +23,12 @@
+
+
+ org.apache.commons
+ commons-lang3
+ 3.12.0
+
From 8a968b1daab1d040d579fdcc74e434240f3af698 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:37:44 -0500
Subject: [PATCH 09/14] Disable dependency caching in CodeQL analysis
---
.github/workflows/codeql-analysis.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 865c62e..b22d747 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -38,7 +38,7 @@ jobs:
languages: ${{ matrix.language }}
queries: +security-and-quality
build-mode: autobuild
- dependency-caching: true
+ dependency-caching: false
# Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
# If this step fails, remove it and run the build manually instead
From 3b4ecf522ca5e8fa2758c1d1d8f6041488fa42d2 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:38:44 -0500
Subject: [PATCH 10/14] Update pom.xml
---
pom.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pom.xml b/pom.xml
index 32ca398..f3074d6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,6 +24,12 @@
This is intentional for demonstration purposes. In a real application,
always use the latest secure versions of dependencies. -->
+
+ org.slf4j
+ slf4j-api
+ 2.0.7
+
+
org.apache.commons
commons-lang3
From 16c8b4f28ae7ccb4d5fdb2a09956d8348fb19053 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:51:53 -0500
Subject: [PATCH 11/14] Change CodeQL build mode and enable caching
---
.github/workflows/codeql-analysis.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b22d747..75cd6d1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -37,8 +37,8 @@ jobs:
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- build-mode: autobuild
- dependency-caching: false
+ build-mode: none
+ dependency-caching: true
# Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
# If this step fails, remove it and run the build manually instead
From e2a1073b73d5aab940174f00002fa13d0012d8ff Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:55:35 -0500
Subject: [PATCH 12/14] Update codeql-analysis.yml
---
.github/workflows/codeql-analysis.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 75cd6d1..6c0df92 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -42,8 +42,8 @@ jobs:
# Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
# If this step fails, remove it and run the build manually instead
- - name: Autobuild
- uses: github/codeql-action/autobuild@v3
+ #- name: Autobuild
+ # uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
From a567bbda9bf00fda631ec7df46eb190abcf157ca Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 13:59:06 -0500
Subject: [PATCH 13/14] Add Guava dependency version 32.1.1-jre
---
pom.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pom.xml b/pom.xml
index f3074d6..94f5cba 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,6 +24,12 @@
This is intentional for demonstration purposes. In a real application,
always use the latest secure versions of dependencies. -->
+
+ com.google.guava
+ guava
+ 32.1.1-jre
+
+
org.slf4j
slf4j-api
From c9d90bc86a0b96004e7c3a315bb7c091bfa99476 Mon Sep 17 00:00:00 2001
From: Mickey Gousset
Date: Mon, 29 Sep 2025 14:29:53 -0500
Subject: [PATCH 14/14] Rename application from Test to Test2
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 94f5cba..8dd88b8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,7 +10,7 @@
1.0.0
jar
- Vulnerable Java Application - Test
+ Vulnerable Java Application - Test2
A simple Java application with intentional vulnerabilities for CodeQL scanning demonstration