From 263bf3b6bd6a8b3f987c495843d2600195379192 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 26 Sep 2025 13:21:15 +0000
Subject: [PATCH 01/10] Initial plan


From b0b6708145359b1f2f0515ba0631a6079138848b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 26 Sep 2025 13:29:55 +0000
Subject: [PATCH 02/10] Implement CodeQL demo with reusable workflow and
 vulnerable Java app

Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
---
 .github/workflows/ci.yml                      |  53 +++++
 .github/workflows/codeql-analysis.yml         |  75 +++++++
 .github/workflows/codeql-reusable.yml         | 125 ++++++++++++
 README.md                                     | 188 +++++++++++++++++-
 pom.xml                                       |  63 ++++++
 .../com/example/demo/DatabaseInitializer.java |  54 +++++
 .../com/example/demo/DemoApplication.java     |  17 ++
 .../example/demo/VulnerableController.java    | 108 ++++++++++
 src/main/resources/application.properties     |  23 +++
 target/classes/application.properties         |  23 +++
 .../example/demo/DatabaseInitializer.class    | Bin 0 -> 2089 bytes
 .../com/example/demo/DemoApplication.class    | Bin 0 -> 703 bytes
 .../example/demo/VulnerableController.class   | Bin 0 -> 4328 bytes
 target/codeql-demo-1.0.0.jar                  | Bin 0 -> 6528 bytes
 target/maven-archiver/pom.properties          |   3 +
 .../compile/default-compile/createdFiles.lst  |   3 +
 .../compile/default-compile/inputFiles.lst    |   3 +
 17 files changed, 737 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 .github/workflows/codeql-analysis.yml
 create mode 100644 .github/workflows/codeql-reusable.yml
 create mode 100644 pom.xml
 create mode 100644 src/main/java/com/example/demo/DatabaseInitializer.java
 create mode 100644 src/main/java/com/example/demo/DemoApplication.java
 create mode 100644 src/main/java/com/example/demo/VulnerableController.java
 create mode 100644 src/main/resources/application.properties
 create mode 100644 target/classes/application.properties
 create mode 100644 target/classes/com/example/demo/DatabaseInitializer.class
 create mode 100644 target/classes/com/example/demo/DemoApplication.class
 create mode 100644 target/classes/com/example/demo/VulnerableController.class
 create mode 100644 target/codeql-demo-1.0.0.jar
 create mode 100644 target/maven-archiver/pom.properties
 create mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
 create mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..524a1e5
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,53 @@
+name: 'Continuous Integration'
+
+# Simple CI workflow to build and test the Java application
+# This runs independently of CodeQL analysis
+
+on:
+  push:
+    branches: [ "main", "develop" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build-and-test:
+    name: 'Build and Test'
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@v4
+      
+      - name: 'Set up Java 11'
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: 'maven'
+      
+      - name: 'Build application'
+        run: |
+          mvn clean compile -DskipTests
+          echo "✅ Application built successfully"
+      
+      - name: 'Run basic validation'
+        run: |
+          # Check that main classes were compiled
+          if [ -f "target/classes/com/example/demo/DemoApplication.class" ]; then
+            echo "✅ Main application class compiled"
+          else
+            echo "❌ Main application class not found"
+            exit 1
+          fi
+          
+          if [ -f "target/classes/com/example/demo/VulnerableController.class" ]; then
+            echo "✅ Vulnerable controller compiled (contains security issues for demo)"
+          else
+            echo "❌ Vulnerable controller not found"
+            exit 1
+          fi
+      
+      - name: 'Package application'
+        run: |
+          mvn package -DskipTests
+          echo "✅ Application packaged successfully"
\ No newline at end of file
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000..6fc9e66
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,75 @@
+name: 'CodeQL Security Analysis'
+
+# This workflow demonstrates how to call the reusable CodeQL workflow
+# and pass custom query packs for enhanced security scanning.
+
+on:
+  # Trigger on pushes to main branch
+  push:
+    branches: [ "main", "develop" ]
+  
+  # Trigger on pull requests to main branch  
+  pull_request:
+    branches: [ "main" ]
+  
+  # Allow manual triggering
+  workflow_dispatch:
+    inputs:
+      custom-query-packs:
+        description: 'Additional query packs to run (comma-separated)'
+        required: false
+        default: ''
+      query-suite:
+        description: 'Query suite to use'
+        required: false
+        default: 'security-extended'
+        type: choice
+        options:
+          - 'default'
+          - 'security-extended' 
+          - 'security-and-quality'
+
+# Set permissions for the workflow
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  # Job 1: Standard CodeQL analysis with default security queries
+  standard-analysis:
+    name: 'Standard Security Analysis'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      query-suite: 'security-extended'
+      java-version: '11'
+    # Pass secrets if needed (none required for this demo)
+    secrets: inherit
+
+  # Job 2: Enhanced analysis with additional query packs
+  enhanced-analysis:
+    name: 'Enhanced Security Analysis'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      # Specify additional query packs for more comprehensive analysis
+      # These packs focus on specific vulnerability types
+      query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
+      query-suite: 'security-and-quality'
+      java-version: '11'
+      # Custom build command for more control
+      build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true'
+    secrets: inherit
+
+  # Job 3: Manual trigger analysis (only runs on workflow_dispatch)
+  manual-analysis:
+    name: 'Manual Analysis with Custom Packs'
+    if: github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      query-packs: ${{ github.event.inputs.custom-query-packs }}
+      query-suite: ${{ github.event.inputs.query-suite }}
+      java-version: '11'
+    secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
new file mode 100644
index 0000000..e73222d
--- /dev/null
+++ b/.github/workflows/codeql-reusable.yml
@@ -0,0 +1,125 @@
+name: 'CodeQL Analysis - Reusable Workflow'
+
+# This is a reusable workflow that performs CodeQL analysis on Java code.
+# It accepts query pack suggestions as input parameters, allowing calling
+# workflows to specify additional security queries to run beyond the defaults.
+
+on:
+  workflow_call:
+    inputs:
+      # Language to analyze (default: java)
+      language:
+        description: 'Programming language to analyze'
+        required: false
+        type: string
+        default: 'java'
+      
+      # Query packs to use in addition to the default security queries
+      query-packs:
+        description: 'Comma-separated list of CodeQL query packs to use (e.g., "codeql/java-queries:cwe-079,codeql/java-queries:cwe-089")'
+        required: false
+        type: string
+        default: ''
+      
+      # Query suite to use (options: default, security-extended, security-and-quality)
+      query-suite:
+        description: 'CodeQL query suite to use'
+        required: false
+        type: string
+        default: 'security-extended'
+      
+      # Build command override (optional)
+      build-command:
+        description: 'Custom build command (if not provided, will use auto-build)'
+        required: false
+        type: string
+        default: ''
+      
+      # Java version to use
+      java-version:
+        description: 'Java version to use for build'
+        required: false
+        type: string
+        default: '11'
+
+jobs:
+  codeql-analysis:
+    name: 'CodeQL Analysis'
+    runs-on: ubuntu-latest
+    
+    # Required permissions for CodeQL analysis
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      # Step 1: Checkout the repository code
+      - name: 'Checkout repository'
+        uses: actions/checkout@v4
+        with:
+          # Fetch full history for better analysis
+          fetch-depth: 0
+
+      # Step 2: Set up Java environment
+      - name: 'Set up Java'
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ inputs.java-version }}
+          distribution: 'temurin'
+          cache: 'maven'
+
+      # Step 3: Initialize CodeQL with specified configuration
+      - name: 'Initialize CodeQL'
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ inputs.language }}
+          # Use the specified query suite
+          queries: ${{ inputs.query-suite }}
+          # Add query packs if specified
+          packs: ${{ inputs.query-packs }}
+        env:
+          # Increase memory for CodeQL analysis
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"interpret-results": {"max-paths": 4}}}'
+
+      # Step 4: Build the application
+      - name: 'Build application'
+        run: |
+          if [ -n "${{ inputs.build-command }}" ]; then
+            echo "Using custom build command: ${{ inputs.build-command }}"
+            ${{ inputs.build-command }}
+          else
+            echo "Using auto-build for Java project"
+            if [ -f "pom.xml" ]; then
+              echo "Detected Maven project"
+              mvn clean compile -DskipTests
+            elif [ -f "build.gradle" ] || [ -f "build.gradle.kts" ]; then
+              echo "Detected Gradle project" 
+              ./gradlew build -x test
+            else
+              echo "No recognized build file found, using CodeQL autobuild"
+            fi
+          fi
+
+      # Step 5: Perform CodeQL Analysis
+      - name: 'Perform CodeQL Analysis'
+        uses: github/codeql-action/analyze@v3
+        with:
+          # Upload results even if there are errors
+          upload: true
+          # Set analysis category for tracking
+          category: 'java-security-analysis'
+        env:
+          # Enable verbose logging for troubleshooting
+          CODEQL_ACTION_DEBUG: false
+
+      # Step 6: Upload analysis results as artifacts (optional)
+      - name: 'Upload CodeQL results'
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: codeql-results-${{ inputs.language }}
+          path: |
+            ${{ runner.temp }}/codeql_databases/
+            !${{ runner.temp }}/codeql_databases/**/*.zip
+          retention-days: 30
\ No newline at end of file
diff --git a/README.md b/README.md
index 599a26e..8e4f5da 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,187 @@
-# coding-agent-example-codeql
\ No newline at end of file
+# CodeQL Reusable Workflow Demo
+
+This repository demonstrates how to use GitHub Advanced Security CodeQL Code Scanning with reusable workflows that accept query pack suggestions. It includes a Java application with intentional security vulnerabilities to showcase CodeQL's detection capabilities.
+
+## 🎯 Purpose
+
+This demo addresses a common scenario where teams want to:
+- Use reusable workflows for CodeQL analysis across multiple repositories
+- Pass custom query packs to enhance security scanning
+- Maintain consistency in security analysis while allowing customization
+
+## 📁 Repository Structure
+
+```
+├── src/main/java/com/example/demo/          # Java application source code
+│   ├── DemoApplication.java                 # Main Spring Boot application
+│   ├── VulnerableController.java            # REST controller with security vulnerabilities
+│   └── DatabaseInitializer.java             # Database setup component
+├── src/main/resources/
+│   └── application.properties               # Spring Boot configuration
+├── .github/workflows/
+│   ├── codeql-reusable.yml                 # Reusable CodeQL workflow
+│   ├── codeql-analysis.yml                 # Calling workflow with query pack examples
+│   └── ci.yml                              # Basic CI workflow
+├── pom.xml                                  # Maven build configuration
+└── README.md                               # This documentation
+```
+
+## 🔧 Components
+
+### Java Application
+A simple Spring Boot web application that intentionally contains security vulnerabilities:
+
+- **SQL Injection (CWE-89)**: Direct string concatenation in SQL queries
+- **Cross-Site Scripting (CWE-79)**: Unescaped user input in HTML output
+- **Path Traversal (CWE-22)**: User input directly used in file paths
+- **Command Injection (CWE-78)**: User input passed to system commands
+
+⚠️ **WARNING**: This application contains deliberate security vulnerabilities and should NEVER be deployed to production.
+
+### Reusable Workflow (`.github/workflows/codeql-reusable.yml`)
+
+A flexible, reusable workflow that:
+- Accepts custom query packs as input parameters
+- Supports different query suites (default, security-extended, security-and-quality)
+- Handles Java project builds automatically (Maven/Gradle)
+- Provides comprehensive error handling and logging
+- Uploads analysis results as artifacts
+
+**Key Input Parameters:**
+- `query-packs`: Comma-separated list of CodeQL query packs
+- `query-suite`: CodeQL query suite to use
+- `language`: Programming language (default: java)
+- `java-version`: Java version for builds (default: 11)
+- `build-command`: Custom build command override
+
+### Calling Workflow (`.github/workflows/codeql-analysis.yml`)
+
+Demonstrates three different analysis approaches:
+1. **Standard Analysis**: Basic security scanning with default queries
+2. **Enhanced Analysis**: Additional query packs for comprehensive scanning
+3. **Manual Analysis**: User-triggered analysis with custom parameters
+
+## 🚀 Usage
+
+### Basic Usage
+
+The workflows will automatically run on:
+- Pushes to `main` or `develop` branches
+- Pull requests to `main` branch
+
+### Manual Triggering
+
+You can manually trigger enhanced analysis:
+
+1. Go to **Actions** tab in your GitHub repository
+2. Select **CodeQL Security Analysis** workflow
+3. Click **Run workflow**
+4. Optionally specify custom query packs and suite
+
+### Custom Query Packs
+
+Examples of query pack specifications:
+
+```yaml
+# Specific vulnerability types
+query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089'
+
+# Security and quality analysis
+query-packs: 'codeql/java-queries:security,codeql/java-queries:quality'
+
+# Third-party query packs (if available)
+query-packs: 'my-org/custom-security-queries,codeql/java-queries:cwe-078'
+```
+
+### Available Query Suites
+
+- `default`: Standard security queries
+- `security-extended`: Enhanced security analysis (recommended)
+- `security-and-quality`: Security + code quality analysis
+
+## 🔍 Expected CodeQL Findings
+
+When you run CodeQL analysis on this repository, you should see alerts for:
+
+1. **SQL Injection** in `VulnerableController.getUser()` and `searchUsers()`
+2. **Cross-Site Scripting** in `VulnerableController.welcomeUser()`  
+3. **Path Traversal** in `VulnerableController.readFile()`
+4. **Command Injection** in `VulnerableController.pingHost()`
+
+## 🛠️ Building Locally
+
+To build and run the application locally:
+
+```bash
+# Build the application
+mvn clean compile
+
+# Package the application
+mvn package
+
+# Run the application (optional - contains vulnerabilities!)
+mvn spring-boot:run
+```
+
+The application will start on `http://localhost:8080` with the following endpoints:
+- `/api/users/{userId}` - SQL injection vulnerability
+- `/api/search?name=<name>` - SQL injection vulnerability  
+- `/api/welcome?username=<name>` - XSS vulnerability
+- `/api/files/{filename}` - Path traversal vulnerability
+- `/api/ping?host=<host>` - Command injection vulnerability
+
+## 📚 Learning Resources
+
+### CodeQL Documentation
+- [CodeQL Documentation](https://codeql.github.com/docs/)
+- [CodeQL Query Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)
+- [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)
+
+### Reusable Workflows
+- [Reusing Workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows)
+- [Workflow Syntax](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions)
+
+## 🔧 Troubleshooting
+
+### Common Issues
+
+**Issue**: "Cannot find query pack"
+- **Solution**: Ensure query pack names are correct and accessible to your repository
+- **Check**: Verify the query pack exists in the CodeQL registry
+- **Alternative**: Use built-in query suites instead of custom packs
+
+**Issue**: Build failures in reusable workflow
+- **Solution**: Check the `build-command` parameter or ensure auto-detection works
+- **Debug**: Enable verbose logging by setting `CODEQL_ACTION_DEBUG: true`
+
+**Issue**: No security alerts generated
+- **Solution**: Verify the code contains detectable vulnerabilities
+- **Check**: Ensure CodeQL is analyzing the correct language and files
+
+### Debugging Tips
+
+1. **Enable Debug Logging**: Set `CODEQL_ACTION_DEBUG: true` in the workflow
+2. **Check Build Logs**: Review the "Build application" step for compilation errors
+3. **Verify Query Packs**: Ensure specified query packs are publicly available
+4. **Review Permissions**: Confirm the workflow has `security-events: write` permission
+
+## 🤝 Contributing
+
+This is a demonstration repository. If you find issues or have suggestions for improvement:
+
+1. Open an issue describing the problem or enhancement
+2. Include steps to reproduce any issues
+3. Provide context about your use case
+
+## ⚠️ Security Notice
+
+This repository contains intentionally vulnerable code for educational purposes. Do not:
+- Deploy this application to production environments
+- Use the vulnerable code patterns in real applications
+- Expose this application to untrusted networks
+
+The vulnerabilities are designed to demonstrate CodeQL's detection capabilities and should be treated as examples of what NOT to do in secure coding practices.
+
+## 📄 License
+
+This project is provided as-is for educational and demonstration purposes.
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..89d5f0e
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
+         http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    
+    <groupId>com.example</groupId>
+    <artifactId>codeql-demo</artifactId>
+    <version>1.0.0</version>
+    <packaging>jar</packaging>
+    
+    <name>CodeQL Demo Application</name>
+    <description>A simple Java application with intentional security vulnerabilities for CodeQL demonstration</description>
+    
+    <properties>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+    
+    <dependencies>
+        <!-- Spring Boot for web application -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+            <version>2.7.0</version>
+        </dependency>
+        
+        <!-- H2 Database for SQL injection demo -->
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>2.1.214</version>
+        </dependency>
+        
+        <!-- JDBC Support -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-jdbc</artifactId>
+            <version>2.7.0</version>
+        </dependency>
+    </dependencies>
+    
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <version>2.7.0</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
\ No newline at end of file
diff --git a/src/main/java/com/example/demo/DatabaseInitializer.java b/src/main/java/com/example/demo/DatabaseInitializer.java
new file mode 100644
index 0000000..ec03d19
--- /dev/null
+++ b/src/main/java/com/example/demo/DatabaseInitializer.java
@@ -0,0 +1,54 @@
+package com.example.demo;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.stereotype.Component;
+
+import javax.annotation.PostConstruct;
+
+/**
+ * Component to initialize the database with sample data for demonstration.
+ * This creates a simple users table and populates it with test data.
+ */
+@Component
+public class DatabaseInitializer {
+    
+    @Autowired
+    private JdbcTemplate jdbcTemplate;
+    
+    /**
+     * Initialize the database schema and sample data after bean construction
+     */
+    @PostConstruct
+    public void initializeDatabase() {
+        try {
+            // Create users table
+            jdbcTemplate.execute(
+                "CREATE TABLE IF NOT EXISTS users (" +
+                "id INT PRIMARY KEY, " +
+                "name VARCHAR(255), " +
+                "email VARCHAR(255)" +
+                ")"
+            );
+            
+            // Insert sample data
+            jdbcTemplate.update(
+                "INSERT INTO users (id, name, email) VALUES (?, ?, ?)",
+                1, "John Doe", "john.doe@example.com"
+            );
+            
+            jdbcTemplate.update(
+                "INSERT INTO users (id, name, email) VALUES (?, ?, ?)",
+                2, "Jane Smith", "jane.smith@example.com"
+            );
+            
+            jdbcTemplate.update(
+                "INSERT INTO users (id, name, email) VALUES (?, ?, ?)",
+                3, "Bob Johnson", "bob.johnson@example.com"
+            );
+            
+        } catch (Exception e) {
+            System.err.println("Error initializing database: " + e.getMessage());
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/com/example/demo/DemoApplication.java b/src/main/java/com/example/demo/DemoApplication.java
new file mode 100644
index 0000000..fc09836
--- /dev/null
+++ b/src/main/java/com/example/demo/DemoApplication.java
@@ -0,0 +1,17 @@
+package com.example.demo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * Main application class for the CodeQL security demo.
+ * This application intentionally contains security vulnerabilities
+ * that will be detected by CodeQL scanning.
+ */
+@SpringBootApplication
+public class DemoApplication {
+    
+    public static void main(String[] args) {
+        SpringApplication.run(DemoApplication.class, args);
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/com/example/demo/VulnerableController.java b/src/main/java/com/example/demo/VulnerableController.java
new file mode 100644
index 0000000..d932bbb
--- /dev/null
+++ b/src/main/java/com/example/demo/VulnerableController.java
@@ -0,0 +1,108 @@
+package com.example.demo;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.web.bind.annotation.*;
+
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * REST Controller with intentional security vulnerabilities for CodeQL demonstration.
+ * 
+ * WARNING: This code contains deliberate security vulnerabilities and should NEVER
+ * be used in production. It is designed solely for educational purposes to demonstrate
+ * how CodeQL can detect common security issues.
+ * 
+ * Vulnerabilities included:
+ * 1. SQL Injection
+ * 2. Cross-Site Scripting (XSS)  
+ * 3. Path Traversal
+ * 4. Command Injection
+ */
+@RestController
+@RequestMapping("/api")
+public class VulnerableController {
+    
+    @Autowired
+    private JdbcTemplate jdbcTemplate;
+    
+    /**
+     * SQL Injection vulnerability: Direct concatenation of user input into SQL query
+     * CodeQL should detect this as CWE-89: SQL Injection
+     */
+    @GetMapping("/users/{userId}")
+    public List<Map<String, Object>> getUser(@PathVariable String userId) {
+        // VULNERABLE: Direct string concatenation creates SQL injection risk
+        String sql = "SELECT * FROM users WHERE id = '" + userId + "'";
+        return jdbcTemplate.queryForList(sql);
+    }
+    
+    /**
+     * Another SQL Injection vulnerability with search functionality
+     * CodeQL should detect this as CWE-89: SQL Injection
+     */
+    @GetMapping("/search")
+    public List<Map<String, Object>> searchUsers(@RequestParam String name) {
+        // VULNERABLE: User input directly embedded in SQL query
+        String sql = "SELECT * FROM users WHERE name LIKE '%" + name + "%'";
+        return jdbcTemplate.queryForList(sql);
+    }
+    
+    /**
+     * Cross-Site Scripting (XSS) vulnerability
+     * CodeQL should detect this as CWE-79: Cross-site Scripting
+     */
+    @GetMapping("/welcome")
+    public void welcomeUser(@RequestParam String username, HttpServletResponse response) 
+            throws IOException {
+        response.setContentType("text/html");
+        PrintWriter out = response.getWriter();
+        
+        // VULNERABLE: User input directly written to HTML output without encoding
+        out.println("<html><body>");
+        out.println("<h1>Welcome " + username + "!</h1>");
+        out.println("</body></html>");
+    }
+    
+    /**
+     * Path Traversal vulnerability
+     * CodeQL should detect this as CWE-22: Path Traversal
+     */
+    @GetMapping("/files/{filename}")
+    public String readFile(@PathVariable String filename) {
+        try {
+            // VULNERABLE: User input used directly in file path
+            java.nio.file.Path path = java.nio.file.Paths.get("/app/data/" + filename);
+            return java.nio.file.Files.readString(path);
+        } catch (Exception e) {
+            return "Error reading file: " + e.getMessage();
+        }
+    }
+    
+    /**
+     * Command Injection vulnerability
+     * CodeQL should detect this as CWE-78: Command Injection
+     */
+    @GetMapping("/ping")
+    public String pingHost(@RequestParam String host) {
+        try {
+            // VULNERABLE: User input directly used in system command
+            Process process = Runtime.getRuntime().exec("ping -c 1 " + host);
+            java.io.BufferedReader reader = new java.io.BufferedReader(
+                new java.io.InputStreamReader(process.getInputStream()));
+            
+            StringBuilder result = new StringBuilder();
+            String line;
+            while ((line = reader.readLine()) != null) {
+                result.append(line).append("\n");
+            }
+            return result.toString();
+        } catch (Exception e) {
+            return "Error executing ping: " + e.getMessage();
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
new file mode 100644
index 0000000..4a005f5
--- /dev/null
+++ b/src/main/resources/application.properties
@@ -0,0 +1,23 @@
+# Spring Boot Application Configuration for CodeQL Demo
+# This configuration uses H2 in-memory database for simplicity
+
+# Server configuration
+server.port=8080
+
+# H2 Database configuration
+spring.datasource.url=jdbc:h2:mem:testdb
+spring.datasource.driver-class-name=org.h2.Driver
+spring.datasource.username=sa
+spring.datasource.password=
+
+# H2 Console (for debugging - should be disabled in production)
+spring.h2.console.enabled=true
+spring.h2.console.path=/h2-console
+
+# JPA/Hibernate configuration
+spring.jpa.show-sql=true
+spring.jpa.hibernate.ddl-auto=none
+
+# Logging configuration
+logging.level.com.example.demo=DEBUG
+logging.level.org.springframework.jdbc=DEBUG
\ No newline at end of file
diff --git a/target/classes/application.properties b/target/classes/application.properties
new file mode 100644
index 0000000..4a005f5
--- /dev/null
+++ b/target/classes/application.properties
@@ -0,0 +1,23 @@
+# Spring Boot Application Configuration for CodeQL Demo
+# This configuration uses H2 in-memory database for simplicity
+
+# Server configuration
+server.port=8080
+
+# H2 Database configuration
+spring.datasource.url=jdbc:h2:mem:testdb
+spring.datasource.driver-class-name=org.h2.Driver
+spring.datasource.username=sa
+spring.datasource.password=
+
+# H2 Console (for debugging - should be disabled in production)
+spring.h2.console.enabled=true
+spring.h2.console.path=/h2-console
+
+# JPA/Hibernate configuration
+spring.jpa.show-sql=true
+spring.jpa.hibernate.ddl-auto=none
+
+# Logging configuration
+logging.level.com.example.demo=DEBUG
+logging.level.org.springframework.jdbc=DEBUG
\ No newline at end of file
diff --git a/target/classes/com/example/demo/DatabaseInitializer.class b/target/classes/com/example/demo/DatabaseInitializer.class
new file mode 100644
index 0000000000000000000000000000000000000000..2a64bb8e5204b20750553e77d798884c9cbb9ebb
GIT binary patch
literal 2089
zcma)7ZBrXn6n<`iY)I2W!%Iumx>cwN1y&KXlG-+eAfe&KYzoEJmz(4Q8<M@5-5U!0
z690jp>p0ZujQ#-skmDD}bCVR7A>(wCy=Tuo=brnV*Zu3?H-7^75<f)|LXUyo82S)q
z7_9O`Zq>NEXKj?KqO2Ig4;<G~4;gwA$*q1w&~G3b!xh9B#>=v9i6dTb)Pz+Lb!jbe
z#Y@~5IXdI;nsXvNhFG;yDi;N5aU~e0^3vP0{D$Yad%GU5i<i<nu(Xa<mY%Ry1KOzw
zt}(pG6td}J)-0wM^I0>uY_4w<&Fr(BU9`=nFFfB&I2ALuUNkogxwUj*$9$6AnKE6n
zZEmFtnU!=QF*`q>oH9k7JGBdY$tVVK-9S8sAq+E2zB@PuLmY{6Q#&=1$e+i~R@%2z
zaw~#ShPm9joh=kKzKwIZZFn6-NrIGrnzhZuqbXDW3Dr%E8Mqb0dw8GW`nmC(tHhoT
zt8vI{O|h}dFq+6E1J`#nD0a6QBCB%WHJ7A_z+@P%5;s$k;&CT!Gn7IdfsbPN7~_=g
zW~0)|Qlg7P&jXjV>m!xSMR1oPy2@Q)+I2_mN01;yRpMuS%?EFaV3Og=qAZyjl`q{0
zrWkINWNAhNqm7`pff<IObI-F!WzkTMbo=osJ~J>I!{?a0P__24uSA`SRd^Jkkv3jO
zTAP#*MQIVdo{C}`U&N^T?-TAlq1J@&^F7Mpa3UDRP7>qPC<`&9@PL5U`GLqtx6IWx
zc}8!(;;!-;?skb*7h_R8#3KWbV@T^-Yx{N)9_3YchN`&?V}+)xoVwU@e5X_sY1fsC
z>j2P=_q%pcNpRP<c6nJz@7UsJ2ds2c$(N2NDk+BEjI5Bm19`_4>&<#ectuX;8RB_a
z=Cv*EIhyZm_NskHdzgQhW+&@$Julk5|8^QMFx?`7>N!g#9k^;MUOrgkjn0K;OYbO%
zepC9Y6>YCsR&*q4%cfTr%Z^5U^X)Z(p);eahMKu+kf=mFA=Pn1SQ%MwNLRSp=-{H1
z%2yt5tO>O*EB-(jb`(WCHL#^CV4Ei1c{Mujp*#>)yG+_evD}V3!_UET=qR?0u5h<f
z6aIK!%7bPj6$nYE-U2%p4i*V+7xiu}dD%pU*J`$-1dW6phTB=slb(5&Cz@3zHGOMv
zFPMx5cFuK$m#J~z7rucP3=^09?&gkxAISRutI~*R`;I&GF$qz3F<R+!LUfV1FwqRr
z5K;Oj(Yi#OMU)Zkn|uxSswK|Ss>Q%HEYqqDkOIEJ3Q>j}Nkgr}|FqtKlgZy;#IK%W
zp!G5m{sW<%p5EVa!`|tQe_-$Q#Xq!9ac4Uy?(2vrwD^-t;&4Zt)Z%+B@h=$4{|f8g
zDdykcE8rAgziMIIg+rsK2O9YTp$2ZDpT_PeCNNGkLBDxSlKTnrVwx(?LW$@u=IG=s
zsx<D7Nke-(O1@PwfK@zc**@v`ohMm8LVv?CFg<V<(KXuc#X7AaY@F?G68|kd5i(Jr
R=NY~uE=q6D@jZUT*njO5GDH9X

literal 0
HcmV?d00001

diff --git a/target/classes/com/example/demo/DemoApplication.class b/target/classes/com/example/demo/DemoApplication.class
new file mode 100644
index 0000000000000000000000000000000000000000..ed58fdf5d9ffa7c61370e127d648293c6900ee15
GIT binary patch
literal 703
zcmah{!A=`75PePp8`89-fzm>IXnP7d)HgT;A+<rAR;|>aaNy)!%woE0M_w=Fw>W_~
z@B#g(s$(k>D-?-6ywS{f-pst6zyBT{0qo;b2MshMw7OWqDnsu|TnnBHo$+7El}sJO
z>VeYA9WpcryVD45hR>-fxSWe(mP>vv3&W2HzRza4N`+HKchJGB2;DAT;|;^m*o>Dm
zt8{i@MImpD{lgPu9G`?>t&+OfN;4#b_-T@HF3NIrR*OuWCmZd?%a~K6ot!&9Hu^$k
zl@&=YYb_}3(<6q~*qlp-^;l{7vnmp4PyAbker!^aPlZ+9Uj$q3Qk4u}<CnJg%!N?2
z#nxci&{N6_n-SN>k~BkSVk(=;W93KLd?xKTFAKx=?@BvW$f+uoUr%e}g7n0CxKx#(
zx2T*Ud4eo*q5cp05jA;6_=1Rz!ha1ge-?!6<Z-f$?8@*C>^7u(ggy;)@it(1fIc?J
vTf-*aEsFO78PM)W!+WfqKGpjR1T~1zt8uikh4&P1;6uP|?2z@nJ_7#%G(ffy

literal 0
HcmV?d00001

diff --git a/target/classes/com/example/demo/VulnerableController.class b/target/classes/com/example/demo/VulnerableController.class
new file mode 100644
index 0000000000000000000000000000000000000000..fa65818bd2d72983e9f66703b582a5a36cdf4e5d
GIT binary patch
literal 4328
zcma)9`CA*u8GZ)@E6Xyr<&!jZ<kXyjY+SoZYGG1CAdm=yfk0iiaTaMnYgW7R?uw&n
z+B9v``@ZkH>0PHy@ztcq5B;J4N&kmFN#EIBT@NDR(WBX&nQy-1{f_zeKX2T59l#^_
zR{||))euXf4ebI4t{H2FZW;E9KD~5J=6r$nA=5VfVS(1(zJ(M|#go{Bgut<)u_{L$
zJ7@TdreENj=Nq=~33T^nYkcN>*R)qMecPAzAc=h%I+ECr0|H$+r>M&fqgb+}o|i>O
zUnpC)bd4oTiSb>>vZO1Jyp~_e%}bIQz7!b9I_`?@m6Via*C@($$6eJGjh=H{sXtjq
zok<{tLmCbzaRf&N`gebna<7-AyE*Q-S<@pfr*<~7?3<RZs4^)C#N+4`*yGC$UoZGY
zYcJk`do{c>i4(YwU@53JbWgf#mQ)meNuS^_7cR_7uS8^NXon|#g@d&H`OOj+jx^I?
zL9suX#Qk^|g|0|{(KUSq+p*rr1*W6V5Ugk;6Gs<q8&aAL4=p+Q&EW)k(5s;@iGHQv
zp}?1orvx+wxNq4h1`sVAq<%wsaC|7RayW%n#5FwB5L96>B=ByW(Qr12_u%1*0Gkq)
zO}c)@@Cyv0R_ZR0X=3A*?V%Kz*1&_#eiZN3a4v}qhPH_rr!0y|xYEdnY6<j4(i-_R
z30)0Lh!B_{S;jVUvgDhNoxpj#FNq5nA!}MNB|Xnrp|cKG;1B4dq(~u#cmiV>*YHFV
z6POe@SWBJRvhABi9#)*HlOqkBqGd)}TgWP##1t+H#N>v|3G_4pu->2<*U3@GjD{J3
zqZL<=l$V#KEAz7iN4gqj1v)ExlXj`>(*S7{!|ep-@wA48Bo^`h1_L7Ij13x4cdjuS
z>o(}KOZb2)Mpp!mN2)V0>Ph+*5}3w^6wxzuLX9ZYCeyc|;aN(k;TWPlQZ_9blfYH9
zDh|0M^2$wdT9VJ2wp2UINvxp2s%Ml+(#{JEz72j2yqQeb1Vln{vXUqU?0qMsNueEa
z;uv{s!Sqa4whOlH_=XA{2IHemYuS=CY)@Y{a=znk>PGc|exd9;>n7clp}R+&JR@bl
zGUQ^pxFp?qRX7DwStn;$3x;c|d9)bw3nu0DWOr3_$zG!apJt6BGG#s{iA-vH8Zv9W
z>lW+IoVj8fe%Yn`D?0;Nt&>9`t6)B5l%i>Urqsy_FQ&{ee*$NlBDOA<^d-~I*Ms#0
zlaWqUcacEbnqid{T)MKx)1M2CdS2lEM)%AZ>Ple&ZSd2>yOyeoSp|E_-Rnui%@q`q
zgg<7JH?d{$SE~ZM=Q}HT8+m@9p5nVMExJ-F#scS?Kpp`2_SX!vhZ&*J2z6s}RPLXU
z=`L6>3Y;=)_mR+PjW-9CO;oF;r{PPLI;ygKy1GLp^vI?tLsh*dWF-R1Y8tX`tkcXq
zQbbZ4%QB_L)#VZzwQtTha;uDnC>st27Z0PLLc%zRt4Nt})J@N;E~t^zv@Q%Qg_9Yf
z3W&n}c-7#>`bp`e@yZsNb=I+HtQ|DYV)F7)2*kGON(I6-=ak)?4DIi1))PIbO5IM?
zqggJnsR&w$u%)7U%?nTSqe0-+QYoezC6kx@h~xO4?;52k=@*>5x4#{~N#M8mord45
zj`0s{nQA53wAY+fsfP%JP2_l3-~_%?AHES`$aKQ6^SrfBWgTa=T*_>NvVNuEplX=v
zH$%CZ`c5J$EA@9{#A4L2tT{GOtnPneftVZ1j*ZTz`_tpI(^F}cDqebVVr+ISZRXSG
z(><amj#mWwcBWHNn9fc<HJ0w_5?v(!3qxzDaC&$#%;K~-$tLRba2$VSY7^g*o;Q3$
z7jfKVfRDMZ<EB;6F+S2NX3wR$b(^#*V$y@T^l7zlmzQ8jt6BjTSMDhSQnTZmwAova
zT88IIrs3=Czqfg(8R#1RA#mcYNg3{;hj5ZDeha@D1V=Xcd^()9^I3|X{OsWDI%hhc
zg3q@8n-H(?r3G$81l$Xc@5zt=KFXX4tl=m-D0O(2)UA9Tc;F5+V5<LB>>b#`!5dr)
z`KT`)pqIOS0k3pOAMxTztYd>bHOA^D-&*kD;OujO${pPK2>;Jtf$;EAe2jaV()R_v
z2z<P$BFElBkuwx@b_YdX+_fT~s44QvK#@=3r3jH1X+ex@-2<uPw{cGk25uuQaB(no
zY75<i#OVP*y`_j#cMb1*=n!BSaXdzsjqpQh6!+nAbg@lUKIjj*R&ndbrvr5<37^4d
zDRn=N;dA&r@%;knV}$36O)&g&p!%K`ZY$LlieEv3hm<>CA{*t-6IAm-p!GHAw{UuD
z;1(XaF-3hJyF;yTgJ+<==-70(2En2lYOuHKzzkO};V=WEqI3rv#;@XQ<b0TNzK(D3
zjS{McoWM5&L%zjT#^jtvt}0p^UH|PG;xBNM)vBVjP#vklZvGY?r`}I0c%PcOi|NaE
zap^L(p1X<5H}S!XcX5?Z<6LZT3rm;Jwf!51I%Az}TaYP}!{W<t{<kx>h1H6wcEwbF
zAXH85W}E`gU>|$Uqj(l+EHSe4I0H#+R!CW(3T9yb1cPlKhVWf{k4C3S_kH|;koEEX
zhxidedkCHQG0kt|nHo6rRdD9<lPWl;(E0}YG|X$5)^PQI=+vOU$)hbAl6-||4&6^{
z&?%3{@H37r_<4Y``i}es=f5PRVUqm{FLORX)ql;kKL+ECVEl71z8Z{M!FVee@8EAd
Oks$SJ_&ffI&i@1W*>X$(

literal 0
HcmV?d00001

diff --git a/target/codeql-demo-1.0.0.jar b/target/codeql-demo-1.0.0.jar
new file mode 100644
index 0000000000000000000000000000000000000000..e0194fb3613e50321bbda30e4d92b134406a6fc9
GIT binary patch
literal 6528
zcmb7I2Q*w;_n#=ygQ%k=gh+JJTSSjCdM_WNW|YwxqYI)FHF_r@h!#VTFhSHIdPoqR
z=ryAJ$CvjW|Gd1n)^}#zwa(nT_wVex_qluT^HW#G#KH#vZ~=fEJ5eLRrGbZ@gXFZO
zI2Bdpxz*8P<Y+P6|B4NL77WxxKh{8B=(`tUASqQvc{wd@E|B~VsHa;+nUiaPNSTwZ
zuLo7F$uq<^J@3M$1maKx4Y-%oXl{ZylzX){T?jRCKimbOdbD^(_y+jq=3Ur&dlU!u
zlsZR<xE_M8+VU^Xf1SqwoZIlz)Mvk#iiNhp!qMTsR{mas@DB+q7}&wd-s)c@Nq>>F
zv~qB~B>t<Hh%djs1K7g~`Y*z?e-}oZ&GmPqeqDw2-xVz!Ev=mGIsY>CXQa-(w5Uh`
z`G^AmERg^J?7w?6U3Yt^l?&M1-b%(1>gM8TZ*S$oWnm9?bxqQP7}1UbB`|}Y&Trjz
z)JVH7B5)Je@@qRt^Hu^4MxZP;A=b*rcAz2^zcv3YRFr;N5oAzM@t_HG(6s!YV$jw|
zLH85CCCO#~rG(u{pkfXWVs2*U%RtkH#D>>s{mzDvWAl}1#$&!f%9@fe$Rn9IL61|S
zDP-yhy%n>2OewKVrMyRKK>q4dc11Q^om$RB-f`+qjrJUo;0`Y8)5hhL!@2LFYu@+`
z_v%3zz$t;X!oaLGW$zqtcEkzIwdtIoz96lUwls}$eQEB9s(h3Vrx8N_OT4YmXeGxC
zTR#`oPKbdNFOmxX$R*}Yfj0$S{Su8;<qD#^A#s2phJClA?jbRA+<P#E0zX|FFLu)#
zNu?&el2(%&?vokI1Kg~hf>kT&$y|k3<JC!GZxx!wa*y~l&83tz!Kl_Xx1dDyi1faA
zg%LM31bcGabw9Zqvpi&6Dg+hMD9tlJwZo6Zt@}2k?8d@0ZDy*i+5Jw$Ut|iETeCeu
zrVVSbqV_(w-Md{Qf>*yT6*w4l+ViA)Myx)@bGwzFryx_o3={sEh@k`Tt^3AI7Dl<B
zV5&<TV}r?#lkiB+xa|a_NKvIS-2{8k1|ix&K6b|z6yQiBJV~5Mc_v#nS8jH*wLOHM
zek!=dOfu@AR5%|D7<aIh7f}bbQpoelYQ%NQ&d3&&N3@8Vy%Mj|C83yd`-au`6_ch9
z9M)fBCJoD~d~ZhIDf^C@R7O0IG^zxqf~0Pzp!<}VR{p8kfRa&jwqxLS!KZt<pQN8>
zgyLoBk&xNt<>dT08~U2KO8(&~CFriOF7ckayR!x&PZ+d_tJhW&r0wfCS+4ENgqKeT
zW#x%v)#-se>%d7Td>+Ur^ypo(YwtM1>M`$|0OC&Tnw;qvm4b&TV~m8uFmiZ=)EGJb
zxRYty;LxT=^^=k!idRj+y5Z{m>WScpZo&_#uj9lbX_D2=NBP(&z*H2w8zm{juMAXD
zDDL2eTSD&OY&Mg1F%QHDpXf)9Wh|$DvtP8I*dj_5bsI!JZQ|f2oEW5v4%$GhHVg>o
zWS1WGm2~nD@k}CBpLRMwpmAw7>?82h6;#FU%+TU_DS{N3-}q$S!<{-bnmM6^VrlFG
z++Xf&b*ylq;Z~Y<hyf47^*Hu3fv%l`$0f=-1aFoS#yQ`zMk#sx2<K#<iG-NN`Qxi9
z!0mPB_8K8nb)u`hl(!z!e6%;>eOcm`!d14lYa^YXrQ@XL3M(SS>xvmAFUIjK(-Dko
z*m&Vt!Ae-C9-qam(j#aoRSHKOsX7&7PswN9=ubeDwwm9Oqt2@)<wC8k3m{j(T}qC@
zllpXf2Wr-JBt00#U0;0pw|$Y&k)`CU2yO?jmMAqrkLLyz<JzU_;}y$Q`1D;+n&Dyt
zue{vadQMkvE^L|n{oX@)aO${vX{gK<-0B>zR`IZI6`<=}dR9e)A*~qQfUp56v>!J1
z%4Oh$FLA4cvPDyD{~C==B}^m<qt*e=0=vs%ol#;$l6&&v`B9^q^!kuQUUkP#de@Ik
zI-={2)rsZ}8ob}*Z@AD+?U>}>V?2)6+PzjYJBoLF^{vj9n3u(|M1@LvQTl#FHHR$&
zF89-X@MEpb?UCIwywDtrP!r1>)df16dP5+>A^nl)9c~rUuLKhlN+^#oFtW<}*_&_c
z{+5rQ0Xw4!QAOT^`GW~$%Q^l9iyiVs3LmX`eFZ<4xpi!n1Z8E;TSgSR&Z<Qfyb()M
zjW|nvk;IuvlR?aPzbs>#Wo5{W&L0dJd`r>v=rFYWy>m3){jUu%>B));v>)%;pbF~U
zA6MPGy?iQtlxU1-OEJ5{UV&j>KAC`#xDf3)Y0W@n6uO9)JVV>)ztOeKc3Pe@yPv0W
zpia#SYjd0tdffUn#i#F@f30iz(86o8##U2Nn-Eu{4S_oq+qu|K5H5m%L4lJzAl4Sp
z5M<FP)rlP377N{J@phEPz701;erYD6Yxwj|5li;o<Qm?qkGVcX%J<96qo1+4x@W3!
z9zJr~PYu}iTla}NLvcOW+H@B05YX8^k$o_i@KiQtD)a-Uwi_IW3AK^-p;$27NA%`4
zuu=Wiws`D&Vb4954Md=rQNJf91bgvE0;^E}up0aTWBaZm+$8<9Ie`J^Drv_p!f_JG
z#877;207M^<anrK*r%L{5Gu@u?PV4pLEK$upKIC02By=tQQoFeIj8dhM_I`<?uw`E
zyCAy<ry*%nVh?xj=j^#JjXK-rZHO{7h)OlbPBOC_6Af)g#-yx|1o+&$DWs^QW!w~S
zD@q}A*Y9?p-j)E<johq?Sz0MNQJPS<>GVLxDf|SeJj;s5rzt=0CDZZ*-5|$D<-Pyu
z$e%kwxNVS;)$w?3QF0kGucq1|U_>|W`xB%H)7qGy(0(u#AKd4rQ*G09pe0dEKpwL@
zp0H9(ymR@i{RYY=NkUWP!7C9^{3_P7*8-LXNwl%1O4Sc)HpsIKC+~T8%zJzAzU3CZ
zPl|l;-2(}qY+(tX(<^=t7bj!M{bYA0VAg{o)kKRuUpt5vGh|oOmo#`w%{AK!&zK6O
z{Ua5Ov>%ncoP9KUQXpbraR`ZXlO&Lx_nbqCoaHf|DmS)H`4*hAm!B|FS6rRV4%(_U
zo5XEjZGn;b6Rjw>tRB*y1`eJ5w}HB74GhJR<uO+PfVUU`!0q3)2D0eRN6N{`9%2D@
zgE&Heb_F4tEvmG<B)*|>L=*kN4{~cH)KwXu9O+(@dPwpff_+_Tra!@xH*(NKY#V;}
zZ5!VE+#CI|(qrpNFV&fSV7E{^jY53eZx@T-0`@mK-(yf>@_*8oPRJ3ns*AE#Dca@8
z+I~;Me-J{x5MWmMRt&G7X-rjH^*epH4X{{GTyJ-*b;dq9JQ$d38Afsgqh><CMIk8g
z<6TZ`!w<WL)fs0RM?%p__uRfE)GDp!DMva>!q+SlEAyyNORU=4hlxD%y}H8VL#KeE
zn%jm2h1SmPc9i*NyKy<ZntB;IWO$uw-Qo*JtxYUTa%|x7V93n6P8Ap`EA@)3NvKJy
zFZGp{{qCZGM5XxPi($ib8M0stot5Bh+{K1d`Qs<-H^)S|3rR(?!=w>g1={U9x_f5p
zy2s515N*w}5WNY>D%mD)9|beX5HW(A>qh$D#%ODwjv@GAfcgWsQS(983H`mL8#zw|
zXj3X<)O5DgxUbg0Tc%07Q!4gyg;w<kp`iQ_BKsquYzgR$^86kJ?8-%3e%|b5LhWza
zqI==H=x(0vw-E)qfz83LR*F!F8w6|*f&ba-Me8_t(#Vnfg_0zze=3+O1PwO~7f7dB
z3fwl7aZtwPEtr!_jyGTJ29Q-@c?iFeN!v|1BtABdWrf3IP620e9o!5XT+gVa)UJK|
zQt!Gk>6PWZ(Q|q_nmz^aiP&JmHG3e#6Co8$Ex&RcM@s}9jaqXt(I%H!3bZm>VMIO<
z*PxT8mZ4$NFqTRLmoTM=3V-d@m7&%dNNi`*YwR(3S|~v2s9zC`Bq`JDP71ooU5<sc
zR}~dNI*25jOt`|d8WZ~hXTDQYEaO_tW_aF<vLodF_+6zWZh+uLlCeCheA#FMTVjX9
zj#8y*4ZmY}R#yiFrP$5%@!(71URJwTXz;mc49=URR#CjY6;fFE{v}u1q^<EYWm%q}
zRT^`RDDx=r!uB*ZzcVwNgCjo!Ds#S1`^&av9(6kw(%hrFXO4iOd5sT24>OU)3rh4(
z<J~*VH~9R6tR(%}kP~}E-KHRNuX@_RC_F7icP&onleu>+m?;Z12N%ENSqE&Tb(tE`
zE5wztp)O4jG)?;ITxY+dEzOO&A-8qE==tQD?r<^XhRl-J`qar&6-y+dn`C_Yb$@SB
z;XX2qEKhWKr@T0O>TVP;l%2imrT24V$P?afr+kj?oxQ&IUXDaNg!wi`)-h~(g&Yv#
z85y4fFk?h)B`nvj*FrD+wm_-V9hq7B#$<jE+_y}WK|%?nJu?Y++|PVlO~`Du5L^|c
z^Odl?6xXP0T`uH`;x}_Zem6gUEO)9^?s+uF24zo~fxg{7P?g&xiRBlMVVd9j^ymgm
zTd(4~Hq!c8Po0C6fZTvfnTt$;y%F0wOMpk?)B$-CcAbeutX`s943S^MyN9(&J`j<-
zG)vqftE8oCiyTJwwdqzf<ia5~Ve^(DLJ^ad;!R>e?H|b<Jf5jY)d7o<7e}#}m}JGn
z2z@0(r(x|zmsg!epNZV3HkQPX=$F|fCsfnnF<sVOueC_+k{A7}iDSIDvFI0?74s;a
zgS9(2!39>;EDm6ADFxjE?HX)H2mD&@(sd_XYb<Q>Vf9^6vlM6}AAYj$9b(zKs>~w&
z)w#@>A3JOP?%%LX7CmYiCtqYF;;iXb)ybXOfdi-aoi{w0y=4l#^1+6u?uO=wOlP{~
zrDFFyVR&si(kgQxB(v6Grhs<RJ*0F78@XG!gl-b@&fc<{@Y35%=Ef=ps8Zz%`KmrF
zkE3Kty$!r6vSe3U0AvPswxnja{O8Al$|w*KDgajyyLO1N>etU<fO+~=@`QBLc7gR#
zWhpE5KF(~eDd`;|EdLgwYVxQii{z^o8)>YFYVR-NV*+a43&ilA+;Wkb)Q#^8H+a&1
zkhV9GaWu8qyu-Wizh*J<SWXWW5bKkwj#<YeJGzcl#4C4C^({*e$%$~~v;00j_1pDN
z<P7TrL`^(9=4L80Z_2w9T41Ujk5x1@y6zG(ZsKqdxgv{!pP7O0ld}<PgX8q^rXR_Q
zoU^iQ4kK!CqqAo1d?GvFUdmW0=!_Lz{=`KWU4zolHHZ?OvA~zgjgyO`la-4b#LCq@
z9t3UWAqhFiXw?*2W4dY;5?2*a#8#qTlP3{CMjZZP*7*c;exIK86|PcBs@G0$`l9%&
zCigCW`^VH{pA5@vNy%yUqZV?~mO?8qMN1wYj#XY4&5(G7()H4fl^u9&Gm&vO!JXNK
z>b4w7(q=!(dzhsWKLyyk(USQt8jo*^s$PyNV&1&|p)^LaP)}w<UEkpK*n#19`Gaj5
zx_c$PdX`{{cQ^(h+(NCIJEgUo_xbW3W0)W(GE#gk@IhbTxm08(${Bp32FCPSa0Y=_
z9d3wVHbIb*h(&YTbC%Ko#d*0xDNW-Z(Zots1&PnobA=2y=~TEmf+BeaUNhCSHTG89
zF&e<UO;L3vO36scO8T<txrL1HHzcHs<-ODAHCI&L2ZTrs=6ecH-V0sH?Gng%kWd?g
ztjIaI4LHG<`(E`O-b7aT{z(#!LW`!)l(@u~o2Qr;wc`pp68t0sh4JVpd_dO@E_5XR
zVt#&d8kcE`%WQ)an!bQJ*thAJI1ciV`%YEx_{I*pB|IzQAAB8Twu1FM0Op=BF=Ap)
zI{|6%kF{Wh#QXJMx$fJ&C((S6;q62F1zJt+@PMsr97Zxd1Gp0DB|YvUez?Ea<SBuO
z=8|UoPGcUeBB(XnqGabh`vW)*K+49!u%C4oo_!xo@DF*ikW8R`#xZAI`UsOf0)r}r
zl85FR=2^#}n>F-9m_q8u;I{ryc6k1`<-`uz2|<4&hPBNOmpV3QDHPMI?+mh(l-A;b
zyKe@WtBP}{!pHej-Xw}s-AK5z01V~ql*P|A#WBHun#T3;rGqYpq!xEz)Du7U_3Nd)
zvVrXN5Iq9WBFYlde!VQ5@Z_^iDNz1i7=ubQw-!IIKz}C5UH6iZW(oIjyyyCw8twUF
z1&_uB;mou_AFc)Bm*|DvBYJtvd{>iXF@A-rrc>)`d=ErP06T=zIIjfS*{h<VD>sp3
zm`Njv7sn!KD^Jk?1hQa*q|Dn~fimP+x&DW9cQncBv3zk2GQY(oRc?tFLo`i}%i(~h
zdv6Dhv}0yx5AcRX3CzO1)J^gn#ff`^`JLQQ^{=-ncs9Z|yf`1YqPn@pDzlyWb@$st
z_${~)KJBiq?x;wj@_7lIoi2M+<NX&>@S;>-f5GWb&u$%ipo&$aWllVn{i$>D1}s&{
z^^f>0=)06smA4DS|MTL(cYt1gLBkH=m(l?Pa!hgj^3%Av*}2mzy)KN1p)=2%RZE7m
z!SL5i5~vBikA7eXbU$%L$87+*>4+uF5@fVf{?(bZ?|Q3-<j}EKREgxxx+FHMKFc}%
zq4aO=Zd_Xe*JAoB!+C888hSpDe37gZDf68)eV5rdvcFa_kr~X2zrJdupuN`AWzlOJ
z<98{~oO5YV*ma;VdRL2}FM<DUcVDC-We&DZ6=fB!EtN`8pPC|P&j3iVw|7yAyNjC>
z5IMh6sLQ-SIalD4R7go-v#>Z$vjSWKI$c4x-B&QkF@N%szY=@rB<s&X0$7tepZ)dW
z{Z#vB()ABLKtbUDV+Su$u$LG99cB9G!Y5Lt=;==a^}^I&HO?v2pMwN&BGrqYo@-oi
zm;bDJPO1JJ=b8uT>1EA7Sj!9bUww2=vHl$AKDv!A7k~NaPr~(|mCq^H3uUdpD__oR
zmmT)273WUA0E+r|pvx)pavaZn`YR>-Cu~jN02=gfp802j_E+Fv4|Es6-_YCaZ@|Aj
z-u;UC>yhFDvzg#`nE!OZxQzR|!heD5gl4LL-v(U9_+81mz&JwhxL@|j<uG54&L0Kr
mGWPEh#s&5m`iuM@urJbwx-$0FbC_%B9}fDIW<hcO@BaYH6v0yf

literal 0
HcmV?d00001

diff --git a/target/maven-archiver/pom.properties b/target/maven-archiver/pom.properties
new file mode 100644
index 0000000..3ecb835
--- /dev/null
+++ b/target/maven-archiver/pom.properties
@@ -0,0 +1,3 @@
+artifactId=codeql-demo
+groupId=com.example
+version=1.0.0
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
new file mode 100644
index 0000000..125ad74
--- /dev/null
+++ b/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
@@ -0,0 +1,3 @@
+com/example/demo/VulnerableController.class
+com/example/demo/DemoApplication.class
+com/example/demo/DatabaseInitializer.class
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
new file mode 100644
index 0000000..27cc0a8
--- /dev/null
+++ b/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
@@ -0,0 +1,3 @@
+/home/runner/work/coding-agent-example-codeql/coding-agent-example-codeql/src/main/java/com/example/demo/VulnerableController.java
+/home/runner/work/coding-agent-example-codeql/coding-agent-example-codeql/src/main/java/com/example/demo/DatabaseInitializer.java
+/home/runner/work/coding-agent-example-codeql/coding-agent-example-codeql/src/main/java/com/example/demo/DemoApplication.java

From 92f7ba2cfac938ad0a8b7802f65f82af25520dcd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 26 Sep 2025 13:38:14 +0000
Subject: [PATCH 03/10] Add comprehensive examples, tests, and debug logging
 improvements

Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
---
 .github/workflows/ci.yml                      |   7 +-
 .github/workflows/codeql-analysis.yml         |   2 +
 .github/workflows/codeql-reusable.yml         |  11 +-
 .gitignore                                    |  42 +++++++
 README.md                                     |  13 ++-
 examples/custom-workflow.yml                  |  41 +++++++
 examples/query-pack-examples.md               | 103 ++++++++++++++++++
 pom.xml                                       |   8 ++
 .../com/example/demo/DemoApplicationTest.java |  34 ++++++
 target/classes/application.properties         |  23 ----
 .../example/demo/DatabaseInitializer.class    | Bin 2089 -> 0 bytes
 .../com/example/demo/DemoApplication.class    | Bin 703 -> 0 bytes
 .../example/demo/VulnerableController.class   | Bin 4328 -> 0 bytes
 target/codeql-demo-1.0.0.jar                  | Bin 6528 -> 0 bytes
 target/maven-archiver/pom.properties          |   3 -
 .../compile/default-compile/createdFiles.lst  |   3 -
 .../compile/default-compile/inputFiles.lst    |   3 -
 17 files changed, 257 insertions(+), 36 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 examples/custom-workflow.yml
 create mode 100644 examples/query-pack-examples.md
 create mode 100644 src/test/java/com/example/demo/DemoApplicationTest.java
 delete mode 100644 target/classes/application.properties
 delete mode 100644 target/classes/com/example/demo/DatabaseInitializer.class
 delete mode 100644 target/classes/com/example/demo/DemoApplication.class
 delete mode 100644 target/classes/com/example/demo/VulnerableController.class
 delete mode 100644 target/codeql-demo-1.0.0.jar
 delete mode 100644 target/maven-archiver/pom.properties
 delete mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
 delete mode 100644 target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 524a1e5..f69f982 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
       
       - name: 'Build application'
         run: |
-          mvn clean compile -DskipTests
+          mvn clean compile
           echo "✅ Application built successfully"
       
       - name: 'Run basic validation'
@@ -47,6 +47,11 @@ jobs:
             exit 1
           fi
       
+      - name: 'Run tests'
+        run: |
+          mvn test
+          echo "✅ Tests completed successfully"
+      
       - name: 'Package application'
         run: |
           mvn package -DskipTests
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6fc9e66..45168f7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -72,4 +72,6 @@ jobs:
       query-packs: ${{ github.event.inputs.custom-query-packs }}
       query-suite: ${{ github.event.inputs.query-suite }}
       java-version: '11'
+      # Enable debug logging for manual analysis to help with troubleshooting
+      debug-logging: true
     secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
index e73222d..abb13db 100644
--- a/.github/workflows/codeql-reusable.yml
+++ b/.github/workflows/codeql-reusable.yml
@@ -41,6 +41,13 @@ on:
         required: false
         type: string
         default: '11'
+      
+      # Debug logging toggle
+      debug-logging:
+        description: 'Enable verbose debug logging for troubleshooting'
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   codeql-analysis:
@@ -110,8 +117,8 @@ jobs:
           # Set analysis category for tracking
           category: 'java-security-analysis'
         env:
-          # Enable verbose logging for troubleshooting
-          CODEQL_ACTION_DEBUG: false
+          # Enable verbose logging for troubleshooting (configurable)
+          CODEQL_ACTION_DEBUG: ${{ inputs.debug-logging }}
 
       # Step 6: Upload analysis results as artifacts (optional)
       - name: 'Upload CodeQL results'
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..901890f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,42 @@
+# Maven build artifacts
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar
+
+# IDE files
+.idea/
+*.iml
+*.ipr
+*.iws
+.vscode/
+.settings/
+.project
+.classpath
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Temporary files
+*.tmp
+*.temp
+*.swp
+*.swo
+*~
+
+# Logs
+*.log
+logs/
+
+# Spring Boot
+application-*.properties
+application-*.yml
+!application.properties
+!application.yml
\ No newline at end of file
diff --git a/README.md b/README.md
index 8e4f5da..a5e69e3 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,9 @@ This demo addresses a common scenario where teams want to:
 │   ├── codeql-reusable.yml                 # Reusable CodeQL workflow
 │   ├── codeql-analysis.yml                 # Calling workflow with query pack examples
 │   └── ci.yml                              # Basic CI workflow
+├── examples/
+│   ├── custom-workflow.yml                 # Example organization-specific workflow
+│   └── query-pack-examples.md              # Query pack usage examples
 ├── pom.xml                                  # Maven build configuration
 └── README.md                               # This documentation
 ```
@@ -53,6 +56,7 @@ A flexible, reusable workflow that:
 - `language`: Programming language (default: java)
 - `java-version`: Java version for builds (default: 11)
 - `build-command`: Custom build command override
+- `debug-logging`: Enable verbose debug logging (default: false)
 
 ### Calling Workflow (`.github/workflows/codeql-analysis.yml`)
 
@@ -130,6 +134,13 @@ The application will start on `http://localhost:8080` with the following endpoin
 - `/api/files/{filename}` - Path traversal vulnerability
 - `/api/ping?host=<host>` - Command injection vulnerability
 
+## 📁 Example Files
+
+The `examples/` directory contains additional resources:
+
+- **`custom-workflow.yml`**: Example of how an organization might structure their CodeQL workflow with scheduled scans and different analysis levels
+- **`query-pack-examples.md`**: Comprehensive guide to using different query packs, including built-in and custom options
+
 ## 📚 Learning Resources
 
 ### CodeQL Documentation
@@ -160,7 +171,7 @@ The application will start on `http://localhost:8080` with the following endpoin
 
 ### Debugging Tips
 
-1. **Enable Debug Logging**: Set `CODEQL_ACTION_DEBUG: true` in the workflow
+1. **Enable Debug Logging**: Set `debug-logging: true` when calling the reusable workflow
 2. **Check Build Logs**: Review the "Build application" step for compilation errors
 3. **Verify Query Packs**: Ensure specified query packs are publicly available
 4. **Review Permissions**: Confirm the workflow has `security-events: write` permission
diff --git a/examples/custom-workflow.yml b/examples/custom-workflow.yml
new file mode 100644
index 0000000..2b0615d
--- /dev/null
+++ b/examples/custom-workflow.yml
@@ -0,0 +1,41 @@
+# Example: Custom workflow that calls the reusable CodeQL workflow
+# with organization-specific query packs and configurations
+
+name: 'Organization CodeQL Analysis'
+
+on:
+  push:
+    branches: [ "main", "develop", "release/*" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    # Run weekly security scans on Sundays at 2 AM UTC
+    - cron: '0 2 * * 0'
+
+jobs:
+  # Standard security analysis for all code changes
+  security-scan:
+    name: 'Security Analysis'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      query-suite: 'security-extended'
+      # Focus on critical security vulnerabilities
+      query-packs: 'codeql/java-queries:cwe-089,codeql/java-queries:cwe-079,codeql/java-queries:cwe-078'
+      java-version: '11'
+    secrets: inherit
+
+  # Comprehensive analysis (scheduled and manual only)
+  comprehensive-scan:
+    name: 'Comprehensive Analysis'
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      query-suite: 'security-and-quality'
+      # Include broader set of queries for comprehensive analysis
+      query-packs: 'codeql/java-queries:security,codeql/java-queries:quality,codeql/java-queries:maintainability'
+      java-version: '11'
+      # Use custom build for more thorough analysis
+      build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true -Dmaven.compiler.debuglevel=lines,vars,source'
+    secrets: inherit
\ No newline at end of file
diff --git a/examples/query-pack-examples.md b/examples/query-pack-examples.md
new file mode 100644
index 0000000..2f7c2d3
--- /dev/null
+++ b/examples/query-pack-examples.md
@@ -0,0 +1,103 @@
+# CodeQL Query Pack Examples
+
+This document provides examples of commonly used CodeQL query packs that can be passed to the reusable workflow.
+
+## Built-in Query Packs
+
+### Security-Focused Packs
+
+```yaml
+# SQL Injection queries
+query-packs: 'codeql/java-queries:cwe-089'
+
+# Cross-Site Scripting queries  
+query-packs: 'codeql/java-queries:cwe-079'
+
+# Command Injection queries
+query-packs: 'codeql/java-queries:cwe-078'
+
+# Path Traversal queries
+query-packs: 'codeql/java-queries:cwe-022'
+
+# All OWASP Top 10 related queries
+query-packs: 'codeql/java-queries:owasp-top10'
+```
+
+### Quality and Maintainability
+
+```yaml
+# Code quality queries
+query-packs: 'codeql/java-queries:quality'
+
+# Maintainability queries
+query-packs: 'codeql/java-queries:maintainability'
+
+# Performance-related queries
+query-packs: 'codeql/java-queries:performance'
+```
+
+### Combined Examples
+
+```yaml
+# Security + Quality analysis
+query-packs: 'codeql/java-queries:security,codeql/java-queries:quality'
+
+# Specific vulnerability types
+query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
+
+# Comprehensive analysis
+query-packs: 'codeql/java-queries:security,codeql/java-queries:quality,codeql/java-queries:maintainability'
+```
+
+## Custom Query Packs
+
+If your organization has custom query packs, you can specify them:
+
+```yaml
+# Organization-specific pack
+query-packs: 'my-org/security-queries'
+
+# Mix of custom and built-in packs
+query-packs: 'my-org/security-queries,codeql/java-queries:cwe-089'
+
+# Version-specific packs
+query-packs: 'my-org/security-queries@1.2.0,codeql/java-queries:security'
+```
+
+## Query Suites vs Query Packs
+
+**Query Suites** (use `query-suite` parameter):
+- `default`: Standard security queries
+- `security-extended`: Enhanced security analysis
+- `security-and-quality`: Security + code quality
+
+**Query Packs** (use `query-packs` parameter):
+- More granular control
+- Can specify multiple packs
+- Can target specific vulnerability types
+- Can include custom organizational packs
+
+## Best Practices
+
+1. **Start Simple**: Begin with `security-extended` suite
+2. **Add Gradually**: Add specific query packs as needed  
+3. **Performance**: More queries = longer analysis time
+4. **Relevance**: Choose packs relevant to your codebase
+5. **Testing**: Test new query packs on smaller repositories first
+
+## Troubleshooting
+
+**Pack Not Found Error**:
+- Verify pack name spelling
+- Ensure pack is publicly available
+- Check if authentication is required
+
+**Long Analysis Times**:
+- Reduce number of query packs
+- Use more specific packs instead of broad ones
+- Consider running comprehensive analysis only on schedule
+
+**No Results**:
+- Verify the code contains detectable issues
+- Check if the pack targets the right language
+- Review CodeQL analysis logs for errors
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 89d5f0e..e46b0f5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,6 +40,14 @@
             <artifactId>spring-boot-starter-jdbc</artifactId>
             <version>2.7.0</version>
         </dependency>
+        
+        <!-- Test Dependencies -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <version>2.7.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
     
     <build>
diff --git a/src/test/java/com/example/demo/DemoApplicationTest.java b/src/test/java/com/example/demo/DemoApplicationTest.java
new file mode 100644
index 0000000..a766f38
--- /dev/null
+++ b/src/test/java/com/example/demo/DemoApplicationTest.java
@@ -0,0 +1,34 @@
+package com.example.demo;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.TestPropertySource;
+
+/**
+ * Basic integration test to verify the Spring Boot application context loads correctly.
+ * This test ensures the application can start up without errors.
+ * 
+ * Note: This application contains intentional security vulnerabilities for demonstration
+ * purposes. In real applications, you would have comprehensive security tests.
+ */
+@SpringBootTest
+@TestPropertySource(properties = {
+    "spring.datasource.url=jdbc:h2:mem:testdb-test",
+    "logging.level.com.example.demo=WARN"
+})
+class DemoApplicationTest {
+
+    /**
+     * Test that the Spring Boot application context loads successfully.
+     * This verifies that:
+     * - All beans can be created
+     * - Database initialization works
+     * - No configuration errors exist
+     */
+    @Test
+    void contextLoads() {
+        // Spring Boot will automatically verify the context loads
+        // If there are any issues with bean creation or configuration,
+        // this test will fail
+    }
+}
\ No newline at end of file
diff --git a/target/classes/application.properties b/target/classes/application.properties
deleted file mode 100644
index 4a005f5..0000000
--- a/target/classes/application.properties
+++ /dev/null
@@ -1,23 +0,0 @@
-# Spring Boot Application Configuration for CodeQL Demo
-# This configuration uses H2 in-memory database for simplicity
-
-# Server configuration
-server.port=8080
-
-# H2 Database configuration
-spring.datasource.url=jdbc:h2:mem:testdb
-spring.datasource.driver-class-name=org.h2.Driver
-spring.datasource.username=sa
-spring.datasource.password=
-
-# H2 Console (for debugging - should be disabled in production)
-spring.h2.console.enabled=true
-spring.h2.console.path=/h2-console
-
-# JPA/Hibernate configuration
-spring.jpa.show-sql=true
-spring.jpa.hibernate.ddl-auto=none
-
-# Logging configuration
-logging.level.com.example.demo=DEBUG
-logging.level.org.springframework.jdbc=DEBUG
\ No newline at end of file
diff --git a/target/classes/com/example/demo/DatabaseInitializer.class b/target/classes/com/example/demo/DatabaseInitializer.class
deleted file mode 100644
index 2a64bb8e5204b20750553e77d798884c9cbb9ebb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2089
zcma)7ZBrXn6n<`iY)I2W!%Iumx>cwN1y&KXlG-+eAfe&KYzoEJmz(4Q8<M@5-5U!0
z690jp>p0ZujQ#-skmDD}bCVR7A>(wCy=Tuo=brnV*Zu3?H-7^75<f)|LXUyo82S)q
z7_9O`Zq>NEXKj?KqO2Ig4;<G~4;gwA$*q1w&~G3b!xh9B#>=v9i6dTb)Pz+Lb!jbe
z#Y@~5IXdI;nsXvNhFG;yDi;N5aU~e0^3vP0{D$Yad%GU5i<i<nu(Xa<mY%Ry1KOzw
zt}(pG6td}J)-0wM^I0>uY_4w<&Fr(BU9`=nFFfB&I2ALuUNkogxwUj*$9$6AnKE6n
zZEmFtnU!=QF*`q>oH9k7JGBdY$tVVK-9S8sAq+E2zB@PuLmY{6Q#&=1$e+i~R@%2z
zaw~#ShPm9joh=kKzKwIZZFn6-NrIGrnzhZuqbXDW3Dr%E8Mqb0dw8GW`nmC(tHhoT
zt8vI{O|h}dFq+6E1J`#nD0a6QBCB%WHJ7A_z+@P%5;s$k;&CT!Gn7IdfsbPN7~_=g
zW~0)|Qlg7P&jXjV>m!xSMR1oPy2@Q)+I2_mN01;yRpMuS%?EFaV3Og=qAZyjl`q{0
zrWkINWNAhNqm7`pff<IObI-F!WzkTMbo=osJ~J>I!{?a0P__24uSA`SRd^Jkkv3jO
zTAP#*MQIVdo{C}`U&N^T?-TAlq1J@&^F7Mpa3UDRP7>qPC<`&9@PL5U`GLqtx6IWx
zc}8!(;;!-;?skb*7h_R8#3KWbV@T^-Yx{N)9_3YchN`&?V}+)xoVwU@e5X_sY1fsC
z>j2P=_q%pcNpRP<c6nJz@7UsJ2ds2c$(N2NDk+BEjI5Bm19`_4>&<#ectuX;8RB_a
z=Cv*EIhyZm_NskHdzgQhW+&@$Julk5|8^QMFx?`7>N!g#9k^;MUOrgkjn0K;OYbO%
zepC9Y6>YCsR&*q4%cfTr%Z^5U^X)Z(p);eahMKu+kf=mFA=Pn1SQ%MwNLRSp=-{H1
z%2yt5tO>O*EB-(jb`(WCHL#^CV4Ei1c{Mujp*#>)yG+_evD}V3!_UET=qR?0u5h<f
z6aIK!%7bPj6$nYE-U2%p4i*V+7xiu}dD%pU*J`$-1dW6phTB=slb(5&Cz@3zHGOMv
zFPMx5cFuK$m#J~z7rucP3=^09?&gkxAISRutI~*R`;I&GF$qz3F<R+!LUfV1FwqRr
z5K;Oj(Yi#OMU)Zkn|uxSswK|Ss>Q%HEYqqDkOIEJ3Q>j}Nkgr}|FqtKlgZy;#IK%W
zp!G5m{sW<%p5EVa!`|tQe_-$Q#Xq!9ac4Uy?(2vrwD^-t;&4Zt)Z%+B@h=$4{|f8g
zDdykcE8rAgziMIIg+rsK2O9YTp$2ZDpT_PeCNNGkLBDxSlKTnrVwx(?LW$@u=IG=s
zsx<D7Nke-(O1@PwfK@zc**@v`ohMm8LVv?CFg<V<(KXuc#X7AaY@F?G68|kd5i(Jr
R=NY~uE=q6D@jZUT*njO5GDH9X

diff --git a/target/classes/com/example/demo/DemoApplication.class b/target/classes/com/example/demo/DemoApplication.class
deleted file mode 100644
index ed58fdf5d9ffa7c61370e127d648293c6900ee15..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 703
zcmah{!A=`75PePp8`89-fzm>IXnP7d)HgT;A+<rAR;|>aaNy)!%woE0M_w=Fw>W_~
z@B#g(s$(k>D-?-6ywS{f-pst6zyBT{0qo;b2MshMw7OWqDnsu|TnnBHo$+7El}sJO
z>VeYA9WpcryVD45hR>-fxSWe(mP>vv3&W2HzRza4N`+HKchJGB2;DAT;|;^m*o>Dm
zt8{i@MImpD{lgPu9G`?>t&+OfN;4#b_-T@HF3NIrR*OuWCmZd?%a~K6ot!&9Hu^$k
zl@&=YYb_}3(<6q~*qlp-^;l{7vnmp4PyAbker!^aPlZ+9Uj$q3Qk4u}<CnJg%!N?2
z#nxci&{N6_n-SN>k~BkSVk(=;W93KLd?xKTFAKx=?@BvW$f+uoUr%e}g7n0CxKx#(
zx2T*Ud4eo*q5cp05jA;6_=1Rz!ha1ge-?!6<Z-f$?8@*C>^7u(ggy;)@it(1fIc?J
vTf-*aEsFO78PM)W!+WfqKGpjR1T~1zt8uikh4&P1;6uP|?2z@nJ_7#%G(ffy

diff --git a/target/classes/com/example/demo/VulnerableController.class b/target/classes/com/example/demo/VulnerableController.class
deleted file mode 100644
index fa65818bd2d72983e9f66703b582a5a36cdf4e5d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4328
zcma)9`CA*u8GZ)@E6Xyr<&!jZ<kXyjY+SoZYGG1CAdm=yfk0iiaTaMnYgW7R?uw&n
z+B9v``@ZkH>0PHy@ztcq5B;J4N&kmFN#EIBT@NDR(WBX&nQy-1{f_zeKX2T59l#^_
zR{||))euXf4ebI4t{H2FZW;E9KD~5J=6r$nA=5VfVS(1(zJ(M|#go{Bgut<)u_{L$
zJ7@TdreENj=Nq=~33T^nYkcN>*R)qMecPAzAc=h%I+ECr0|H$+r>M&fqgb+}o|i>O
zUnpC)bd4oTiSb>>vZO1Jyp~_e%}bIQz7!b9I_`?@m6Via*C@($$6eJGjh=H{sXtjq
zok<{tLmCbzaRf&N`gebna<7-AyE*Q-S<@pfr*<~7?3<RZs4^)C#N+4`*yGC$UoZGY
zYcJk`do{c>i4(YwU@53JbWgf#mQ)meNuS^_7cR_7uS8^NXon|#g@d&H`OOj+jx^I?
zL9suX#Qk^|g|0|{(KUSq+p*rr1*W6V5Ugk;6Gs<q8&aAL4=p+Q&EW)k(5s;@iGHQv
zp}?1orvx+wxNq4h1`sVAq<%wsaC|7RayW%n#5FwB5L96>B=ByW(Qr12_u%1*0Gkq)
zO}c)@@Cyv0R_ZR0X=3A*?V%Kz*1&_#eiZN3a4v}qhPH_rr!0y|xYEdnY6<j4(i-_R
z30)0Lh!B_{S;jVUvgDhNoxpj#FNq5nA!}MNB|Xnrp|cKG;1B4dq(~u#cmiV>*YHFV
z6POe@SWBJRvhABi9#)*HlOqkBqGd)}TgWP##1t+H#N>v|3G_4pu->2<*U3@GjD{J3
zqZL<=l$V#KEAz7iN4gqj1v)ExlXj`>(*S7{!|ep-@wA48Bo^`h1_L7Ij13x4cdjuS
z>o(}KOZb2)Mpp!mN2)V0>Ph+*5}3w^6wxzuLX9ZYCeyc|;aN(k;TWPlQZ_9blfYH9
zDh|0M^2$wdT9VJ2wp2UINvxp2s%Ml+(#{JEz72j2yqQeb1Vln{vXUqU?0qMsNueEa
z;uv{s!Sqa4whOlH_=XA{2IHemYuS=CY)@Y{a=znk>PGc|exd9;>n7clp}R+&JR@bl
zGUQ^pxFp?qRX7DwStn;$3x;c|d9)bw3nu0DWOr3_$zG!apJt6BGG#s{iA-vH8Zv9W
z>lW+IoVj8fe%Yn`D?0;Nt&>9`t6)B5l%i>Urqsy_FQ&{ee*$NlBDOA<^d-~I*Ms#0
zlaWqUcacEbnqid{T)MKx)1M2CdS2lEM)%AZ>Ple&ZSd2>yOyeoSp|E_-Rnui%@q`q
zgg<7JH?d{$SE~ZM=Q}HT8+m@9p5nVMExJ-F#scS?Kpp`2_SX!vhZ&*J2z6s}RPLXU
z=`L6>3Y;=)_mR+PjW-9CO;oF;r{PPLI;ygKy1GLp^vI?tLsh*dWF-R1Y8tX`tkcXq
zQbbZ4%QB_L)#VZzwQtTha;uDnC>st27Z0PLLc%zRt4Nt})J@N;E~t^zv@Q%Qg_9Yf
z3W&n}c-7#>`bp`e@yZsNb=I+HtQ|DYV)F7)2*kGON(I6-=ak)?4DIi1))PIbO5IM?
zqggJnsR&w$u%)7U%?nTSqe0-+QYoezC6kx@h~xO4?;52k=@*>5x4#{~N#M8mord45
zj`0s{nQA53wAY+fsfP%JP2_l3-~_%?AHES`$aKQ6^SrfBWgTa=T*_>NvVNuEplX=v
zH$%CZ`c5J$EA@9{#A4L2tT{GOtnPneftVZ1j*ZTz`_tpI(^F}cDqebVVr+ISZRXSG
z(><amj#mWwcBWHNn9fc<HJ0w_5?v(!3qxzDaC&$#%;K~-$tLRba2$VSY7^g*o;Q3$
z7jfKVfRDMZ<EB;6F+S2NX3wR$b(^#*V$y@T^l7zlmzQ8jt6BjTSMDhSQnTZmwAova
zT88IIrs3=Czqfg(8R#1RA#mcYNg3{;hj5ZDeha@D1V=Xcd^()9^I3|X{OsWDI%hhc
zg3q@8n-H(?r3G$81l$Xc@5zt=KFXX4tl=m-D0O(2)UA9Tc;F5+V5<LB>>b#`!5dr)
z`KT`)pqIOS0k3pOAMxTztYd>bHOA^D-&*kD;OujO${pPK2>;Jtf$;EAe2jaV()R_v
z2z<P$BFElBkuwx@b_YdX+_fT~s44QvK#@=3r3jH1X+ex@-2<uPw{cGk25uuQaB(no
zY75<i#OVP*y`_j#cMb1*=n!BSaXdzsjqpQh6!+nAbg@lUKIjj*R&ndbrvr5<37^4d
zDRn=N;dA&r@%;knV}$36O)&g&p!%K`ZY$LlieEv3hm<>CA{*t-6IAm-p!GHAw{UuD
z;1(XaF-3hJyF;yTgJ+<==-70(2En2lYOuHKzzkO};V=WEqI3rv#;@XQ<b0TNzK(D3
zjS{McoWM5&L%zjT#^jtvt}0p^UH|PG;xBNM)vBVjP#vklZvGY?r`}I0c%PcOi|NaE
zap^L(p1X<5H}S!XcX5?Z<6LZT3rm;Jwf!51I%Az}TaYP}!{W<t{<kx>h1H6wcEwbF
zAXH85W}E`gU>|$Uqj(l+EHSe4I0H#+R!CW(3T9yb1cPlKhVWf{k4C3S_kH|;koEEX
zhxidedkCHQG0kt|nHo6rRdD9<lPWl;(E0}YG|X$5)^PQI=+vOU$)hbAl6-||4&6^{
z&?%3{@H37r_<4Y``i}es=f5PRVUqm{FLORX)ql;kKL+ECVEl71z8Z{M!FVee@8EAd
Oks$SJ_&ffI&i@1W*>X$(

diff --git a/target/codeql-demo-1.0.0.jar b/target/codeql-demo-1.0.0.jar
deleted file mode 100644
index e0194fb3613e50321bbda30e4d92b134406a6fc9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6528
zcmb7I2Q*w;_n#=ygQ%k=gh+JJTSSjCdM_WNW|YwxqYI)FHF_r@h!#VTFhSHIdPoqR
z=ryAJ$CvjW|Gd1n)^}#zwa(nT_wVex_qluT^HW#G#KH#vZ~=fEJ5eLRrGbZ@gXFZO
zI2Bdpxz*8P<Y+P6|B4NL77WxxKh{8B=(`tUASqQvc{wd@E|B~VsHa;+nUiaPNSTwZ
zuLo7F$uq<^J@3M$1maKx4Y-%oXl{ZylzX){T?jRCKimbOdbD^(_y+jq=3Ur&dlU!u
zlsZR<xE_M8+VU^Xf1SqwoZIlz)Mvk#iiNhp!qMTsR{mas@DB+q7}&wd-s)c@Nq>>F
zv~qB~B>t<Hh%djs1K7g~`Y*z?e-}oZ&GmPqeqDw2-xVz!Ev=mGIsY>CXQa-(w5Uh`
z`G^AmERg^J?7w?6U3Yt^l?&M1-b%(1>gM8TZ*S$oWnm9?bxqQP7}1UbB`|}Y&Trjz
z)JVH7B5)Je@@qRt^Hu^4MxZP;A=b*rcAz2^zcv3YRFr;N5oAzM@t_HG(6s!YV$jw|
zLH85CCCO#~rG(u{pkfXWVs2*U%RtkH#D>>s{mzDvWAl}1#$&!f%9@fe$Rn9IL61|S
zDP-yhy%n>2OewKVrMyRKK>q4dc11Q^om$RB-f`+qjrJUo;0`Y8)5hhL!@2LFYu@+`
z_v%3zz$t;X!oaLGW$zqtcEkzIwdtIoz96lUwls}$eQEB9s(h3Vrx8N_OT4YmXeGxC
zTR#`oPKbdNFOmxX$R*}Yfj0$S{Su8;<qD#^A#s2phJClA?jbRA+<P#E0zX|FFLu)#
zNu?&el2(%&?vokI1Kg~hf>kT&$y|k3<JC!GZxx!wa*y~l&83tz!Kl_Xx1dDyi1faA
zg%LM31bcGabw9Zqvpi&6Dg+hMD9tlJwZo6Zt@}2k?8d@0ZDy*i+5Jw$Ut|iETeCeu
zrVVSbqV_(w-Md{Qf>*yT6*w4l+ViA)Myx)@bGwzFryx_o3={sEh@k`Tt^3AI7Dl<B
zV5&<TV}r?#lkiB+xa|a_NKvIS-2{8k1|ix&K6b|z6yQiBJV~5Mc_v#nS8jH*wLOHM
zek!=dOfu@AR5%|D7<aIh7f}bbQpoelYQ%NQ&d3&&N3@8Vy%Mj|C83yd`-au`6_ch9
z9M)fBCJoD~d~ZhIDf^C@R7O0IG^zxqf~0Pzp!<}VR{p8kfRa&jwqxLS!KZt<pQN8>
zgyLoBk&xNt<>dT08~U2KO8(&~CFriOF7ckayR!x&PZ+d_tJhW&r0wfCS+4ENgqKeT
zW#x%v)#-se>%d7Td>+Ur^ypo(YwtM1>M`$|0OC&Tnw;qvm4b&TV~m8uFmiZ=)EGJb
zxRYty;LxT=^^=k!idRj+y5Z{m>WScpZo&_#uj9lbX_D2=NBP(&z*H2w8zm{juMAXD
zDDL2eTSD&OY&Mg1F%QHDpXf)9Wh|$DvtP8I*dj_5bsI!JZQ|f2oEW5v4%$GhHVg>o
zWS1WGm2~nD@k}CBpLRMwpmAw7>?82h6;#FU%+TU_DS{N3-}q$S!<{-bnmM6^VrlFG
z++Xf&b*ylq;Z~Y<hyf47^*Hu3fv%l`$0f=-1aFoS#yQ`zMk#sx2<K#<iG-NN`Qxi9
z!0mPB_8K8nb)u`hl(!z!e6%;>eOcm`!d14lYa^YXrQ@XL3M(SS>xvmAFUIjK(-Dko
z*m&Vt!Ae-C9-qam(j#aoRSHKOsX7&7PswN9=ubeDwwm9Oqt2@)<wC8k3m{j(T}qC@
zllpXf2Wr-JBt00#U0;0pw|$Y&k)`CU2yO?jmMAqrkLLyz<JzU_;}y$Q`1D;+n&Dyt
zue{vadQMkvE^L|n{oX@)aO${vX{gK<-0B>zR`IZI6`<=}dR9e)A*~qQfUp56v>!J1
z%4Oh$FLA4cvPDyD{~C==B}^m<qt*e=0=vs%ol#;$l6&&v`B9^q^!kuQUUkP#de@Ik
zI-={2)rsZ}8ob}*Z@AD+?U>}>V?2)6+PzjYJBoLF^{vj9n3u(|M1@LvQTl#FHHR$&
zF89-X@MEpb?UCIwywDtrP!r1>)df16dP5+>A^nl)9c~rUuLKhlN+^#oFtW<}*_&_c
z{+5rQ0Xw4!QAOT^`GW~$%Q^l9iyiVs3LmX`eFZ<4xpi!n1Z8E;TSgSR&Z<Qfyb()M
zjW|nvk;IuvlR?aPzbs>#Wo5{W&L0dJd`r>v=rFYWy>m3){jUu%>B));v>)%;pbF~U
zA6MPGy?iQtlxU1-OEJ5{UV&j>KAC`#xDf3)Y0W@n6uO9)JVV>)ztOeKc3Pe@yPv0W
zpia#SYjd0tdffUn#i#F@f30iz(86o8##U2Nn-Eu{4S_oq+qu|K5H5m%L4lJzAl4Sp
z5M<FP)rlP377N{J@phEPz701;erYD6Yxwj|5li;o<Qm?qkGVcX%J<96qo1+4x@W3!
z9zJr~PYu}iTla}NLvcOW+H@B05YX8^k$o_i@KiQtD)a-Uwi_IW3AK^-p;$27NA%`4
zuu=Wiws`D&Vb4954Md=rQNJf91bgvE0;^E}up0aTWBaZm+$8<9Ie`J^Drv_p!f_JG
z#877;207M^<anrK*r%L{5Gu@u?PV4pLEK$upKIC02By=tQQoFeIj8dhM_I`<?uw`E
zyCAy<ry*%nVh?xj=j^#JjXK-rZHO{7h)OlbPBOC_6Af)g#-yx|1o+&$DWs^QW!w~S
zD@q}A*Y9?p-j)E<johq?Sz0MNQJPS<>GVLxDf|SeJj;s5rzt=0CDZZ*-5|$D<-Pyu
z$e%kwxNVS;)$w?3QF0kGucq1|U_>|W`xB%H)7qGy(0(u#AKd4rQ*G09pe0dEKpwL@
zp0H9(ymR@i{RYY=NkUWP!7C9^{3_P7*8-LXNwl%1O4Sc)HpsIKC+~T8%zJzAzU3CZ
zPl|l;-2(}qY+(tX(<^=t7bj!M{bYA0VAg{o)kKRuUpt5vGh|oOmo#`w%{AK!&zK6O
z{Ua5Ov>%ncoP9KUQXpbraR`ZXlO&Lx_nbqCoaHf|DmS)H`4*hAm!B|FS6rRV4%(_U
zo5XEjZGn;b6Rjw>tRB*y1`eJ5w}HB74GhJR<uO+PfVUU`!0q3)2D0eRN6N{`9%2D@
zgE&Heb_F4tEvmG<B)*|>L=*kN4{~cH)KwXu9O+(@dPwpff_+_Tra!@xH*(NKY#V;}
zZ5!VE+#CI|(qrpNFV&fSV7E{^jY53eZx@T-0`@mK-(yf>@_*8oPRJ3ns*AE#Dca@8
z+I~;Me-J{x5MWmMRt&G7X-rjH^*epH4X{{GTyJ-*b;dq9JQ$d38Afsgqh><CMIk8g
z<6TZ`!w<WL)fs0RM?%p__uRfE)GDp!DMva>!q+SlEAyyNORU=4hlxD%y}H8VL#KeE
zn%jm2h1SmPc9i*NyKy<ZntB;IWO$uw-Qo*JtxYUTa%|x7V93n6P8Ap`EA@)3NvKJy
zFZGp{{qCZGM5XxPi($ib8M0stot5Bh+{K1d`Qs<-H^)S|3rR(?!=w>g1={U9x_f5p
zy2s515N*w}5WNY>D%mD)9|beX5HW(A>qh$D#%ODwjv@GAfcgWsQS(983H`mL8#zw|
zXj3X<)O5DgxUbg0Tc%07Q!4gyg;w<kp`iQ_BKsquYzgR$^86kJ?8-%3e%|b5LhWza
zqI==H=x(0vw-E)qfz83LR*F!F8w6|*f&ba-Me8_t(#Vnfg_0zze=3+O1PwO~7f7dB
z3fwl7aZtwPEtr!_jyGTJ29Q-@c?iFeN!v|1BtABdWrf3IP620e9o!5XT+gVa)UJK|
zQt!Gk>6PWZ(Q|q_nmz^aiP&JmHG3e#6Co8$Ex&RcM@s}9jaqXt(I%H!3bZm>VMIO<
z*PxT8mZ4$NFqTRLmoTM=3V-d@m7&%dNNi`*YwR(3S|~v2s9zC`Bq`JDP71ooU5<sc
zR}~dNI*25jOt`|d8WZ~hXTDQYEaO_tW_aF<vLodF_+6zWZh+uLlCeCheA#FMTVjX9
zj#8y*4ZmY}R#yiFrP$5%@!(71URJwTXz;mc49=URR#CjY6;fFE{v}u1q^<EYWm%q}
zRT^`RDDx=r!uB*ZzcVwNgCjo!Ds#S1`^&av9(6kw(%hrFXO4iOd5sT24>OU)3rh4(
z<J~*VH~9R6tR(%}kP~}E-KHRNuX@_RC_F7icP&onleu>+m?;Z12N%ENSqE&Tb(tE`
zE5wztp)O4jG)?;ITxY+dEzOO&A-8qE==tQD?r<^XhRl-J`qar&6-y+dn`C_Yb$@SB
z;XX2qEKhWKr@T0O>TVP;l%2imrT24V$P?afr+kj?oxQ&IUXDaNg!wi`)-h~(g&Yv#
z85y4fFk?h)B`nvj*FrD+wm_-V9hq7B#$<jE+_y}WK|%?nJu?Y++|PVlO~`Du5L^|c
z^Odl?6xXP0T`uH`;x}_Zem6gUEO)9^?s+uF24zo~fxg{7P?g&xiRBlMVVd9j^ymgm
zTd(4~Hq!c8Po0C6fZTvfnTt$;y%F0wOMpk?)B$-CcAbeutX`s943S^MyN9(&J`j<-
zG)vqftE8oCiyTJwwdqzf<ia5~Ve^(DLJ^ad;!R>e?H|b<Jf5jY)d7o<7e}#}m}JGn
z2z@0(r(x|zmsg!epNZV3HkQPX=$F|fCsfnnF<sVOueC_+k{A7}iDSIDvFI0?74s;a
zgS9(2!39>;EDm6ADFxjE?HX)H2mD&@(sd_XYb<Q>Vf9^6vlM6}AAYj$9b(zKs>~w&
z)w#@>A3JOP?%%LX7CmYiCtqYF;;iXb)ybXOfdi-aoi{w0y=4l#^1+6u?uO=wOlP{~
zrDFFyVR&si(kgQxB(v6Grhs<RJ*0F78@XG!gl-b@&fc<{@Y35%=Ef=ps8Zz%`KmrF
zkE3Kty$!r6vSe3U0AvPswxnja{O8Al$|w*KDgajyyLO1N>etU<fO+~=@`QBLc7gR#
zWhpE5KF(~eDd`;|EdLgwYVxQii{z^o8)>YFYVR-NV*+a43&ilA+;Wkb)Q#^8H+a&1
zkhV9GaWu8qyu-Wizh*J<SWXWW5bKkwj#<YeJGzcl#4C4C^({*e$%$~~v;00j_1pDN
z<P7TrL`^(9=4L80Z_2w9T41Ujk5x1@y6zG(ZsKqdxgv{!pP7O0ld}<PgX8q^rXR_Q
zoU^iQ4kK!CqqAo1d?GvFUdmW0=!_Lz{=`KWU4zolHHZ?OvA~zgjgyO`la-4b#LCq@
z9t3UWAqhFiXw?*2W4dY;5?2*a#8#qTlP3{CMjZZP*7*c;exIK86|PcBs@G0$`l9%&
zCigCW`^VH{pA5@vNy%yUqZV?~mO?8qMN1wYj#XY4&5(G7()H4fl^u9&Gm&vO!JXNK
z>b4w7(q=!(dzhsWKLyyk(USQt8jo*^s$PyNV&1&|p)^LaP)}w<UEkpK*n#19`Gaj5
zx_c$PdX`{{cQ^(h+(NCIJEgUo_xbW3W0)W(GE#gk@IhbTxm08(${Bp32FCPSa0Y=_
z9d3wVHbIb*h(&YTbC%Ko#d*0xDNW-Z(Zots1&PnobA=2y=~TEmf+BeaUNhCSHTG89
zF&e<UO;L3vO36scO8T<txrL1HHzcHs<-ODAHCI&L2ZTrs=6ecH-V0sH?Gng%kWd?g
ztjIaI4LHG<`(E`O-b7aT{z(#!LW`!)l(@u~o2Qr;wc`pp68t0sh4JVpd_dO@E_5XR
zVt#&d8kcE`%WQ)an!bQJ*thAJI1ciV`%YEx_{I*pB|IzQAAB8Twu1FM0Op=BF=Ap)
zI{|6%kF{Wh#QXJMx$fJ&C((S6;q62F1zJt+@PMsr97Zxd1Gp0DB|YvUez?Ea<SBuO
z=8|UoPGcUeBB(XnqGabh`vW)*K+49!u%C4oo_!xo@DF*ikW8R`#xZAI`UsOf0)r}r
zl85FR=2^#}n>F-9m_q8u;I{ryc6k1`<-`uz2|<4&hPBNOmpV3QDHPMI?+mh(l-A;b
zyKe@WtBP}{!pHej-Xw}s-AK5z01V~ql*P|A#WBHun#T3;rGqYpq!xEz)Du7U_3Nd)
zvVrXN5Iq9WBFYlde!VQ5@Z_^iDNz1i7=ubQw-!IIKz}C5UH6iZW(oIjyyyCw8twUF
z1&_uB;mou_AFc)Bm*|DvBYJtvd{>iXF@A-rrc>)`d=ErP06T=zIIjfS*{h<VD>sp3
zm`Njv7sn!KD^Jk?1hQa*q|Dn~fimP+x&DW9cQncBv3zk2GQY(oRc?tFLo`i}%i(~h
zdv6Dhv}0yx5AcRX3CzO1)J^gn#ff`^`JLQQ^{=-ncs9Z|yf`1YqPn@pDzlyWb@$st
z_${~)KJBiq?x;wj@_7lIoi2M+<NX&>@S;>-f5GWb&u$%ipo&$aWllVn{i$>D1}s&{
z^^f>0=)06smA4DS|MTL(cYt1gLBkH=m(l?Pa!hgj^3%Av*}2mzy)KN1p)=2%RZE7m
z!SL5i5~vBikA7eXbU$%L$87+*>4+uF5@fVf{?(bZ?|Q3-<j}EKREgxxx+FHMKFc}%
zq4aO=Zd_Xe*JAoB!+C888hSpDe37gZDf68)eV5rdvcFa_kr~X2zrJdupuN`AWzlOJ
z<98{~oO5YV*ma;VdRL2}FM<DUcVDC-We&DZ6=fB!EtN`8pPC|P&j3iVw|7yAyNjC>
z5IMh6sLQ-SIalD4R7go-v#>Z$vjSWKI$c4x-B&QkF@N%szY=@rB<s&X0$7tepZ)dW
z{Z#vB()ABLKtbUDV+Su$u$LG99cB9G!Y5Lt=;==a^}^I&HO?v2pMwN&BGrqYo@-oi
zm;bDJPO1JJ=b8uT>1EA7Sj!9bUww2=vHl$AKDv!A7k~NaPr~(|mCq^H3uUdpD__oR
zmmT)273WUA0E+r|pvx)pavaZn`YR>-Cu~jN02=gfp802j_E+Fv4|Es6-_YCaZ@|Aj
z-u;UC>yhFDvzg#`nE!OZxQzR|!heD5gl4LL-v(U9_+81mz&JwhxL@|j<uG54&L0Kr
mGWPEh#s&5m`iuM@urJbwx-$0FbC_%B9}fDIW<hcO@BaYH6v0yf

diff --git a/target/maven-archiver/pom.properties b/target/maven-archiver/pom.properties
deleted file mode 100644
index 3ecb835..0000000
--- a/target/maven-archiver/pom.properties
+++ /dev/null
@@ -1,3 +0,0 @@
-artifactId=codeql-demo
-groupId=com.example
-version=1.0.0
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
deleted file mode 100644
index 125ad74..0000000
--- a/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
+++ /dev/null
@@ -1,3 +0,0 @@
-com/example/demo/VulnerableController.class
-com/example/demo/DemoApplication.class
-com/example/demo/DatabaseInitializer.class
diff --git a/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst b/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
deleted file mode 100644
index 27cc0a8..0000000
--- a/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
+++ /dev/null
@@ -1,3 +0,0 @@
-/home/runner/work/coding-agent-example-codeql/coding-agent-example-codeql/src/main/java/com/example/demo/VulnerableController.java
-/home/runner/work/coding-agent-example-codeql/coding-agent-example-codeql/src/main/java/com/example/demo/DatabaseInitializer.java
-/home/runner/work/coding-agent-example-codeql/coding-agent-example-codeql/src/main/java/com/example/demo/DemoApplication.java

From c31de54360c0bf5be9ed88afaa68ac561a785c24 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 26 Sep 2025 14:00:59 +0000
Subject: [PATCH 04/10] Add build mode support (none, autobuild, manual) with
 comprehensive documentation

Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
---
 .github/workflows/codeql-analysis.yml | 46 ++++++++++++++++++++++----
 .github/workflows/codeql-reusable.yml | 42 ++++++++++++++++++++----
 README.md                             | 47 ++++++++++++++++++++++++---
 examples/custom-workflow.yml          |  5 ++-
 examples/query-pack-examples.md       | 45 +++++++++++++++++++++++++
 5 files changed, 165 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 45168f7..ca48a81 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,6 +28,19 @@ on:
           - 'default'
           - 'security-extended' 
           - 'security-and-quality'
+      build-mode:
+        description: 'Build mode to use'
+        required: false
+        default: 'none'
+        type: choice
+        options:
+          - 'none'
+          - 'autobuild'
+          - 'manual'
+      custom-build-command:
+        description: 'Custom build command (only used with manual build mode)'
+        required: false
+        default: ''
 
 # Set permissions for the workflow
 permissions:
@@ -36,20 +49,22 @@ permissions:
   actions: read
 
 jobs:
-  # Job 1: Standard CodeQL analysis with default security queries
+  # Job 1: Standard CodeQL analysis with build mode "none" (default)
   standard-analysis:
-    name: 'Standard Security Analysis'
+    name: 'Standard Security Analysis (Build Mode: None)'
     uses: ./.github/workflows/codeql-reusable.yml
     with:
       language: 'java'
       query-suite: 'security-extended'
       java-version: '11'
+      # Use default build mode "none" - no explicit build needed
+      build-mode: 'none'
     # Pass secrets if needed (none required for this demo)
     secrets: inherit
 
-  # Job 2: Enhanced analysis with additional query packs
+  # Job 2: Enhanced analysis with autobuild mode
   enhanced-analysis:
-    name: 'Enhanced Security Analysis'
+    name: 'Enhanced Security Analysis (Build Mode: Autobuild)'
     uses: ./.github/workflows/codeql-reusable.yml
     with:
       language: 'java'
@@ -58,13 +73,27 @@ jobs:
       query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
       query-suite: 'security-and-quality'
       java-version: '11'
-      # Custom build command for more control
+      # Use autobuild mode - let CodeQL automatically build the project
+      build-mode: 'autobuild'
+    secrets: inherit
+
+  # Job 3: Manual build with custom build command
+  manual-build-analysis:
+    name: 'Manual Build Analysis (Build Mode: Manual)'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089'
+      query-suite: 'security-extended'
+      java-version: '11'
+      # Use manual build mode with custom build command
+      build-mode: 'manual'
       build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true'
     secrets: inherit
 
-  # Job 3: Manual trigger analysis (only runs on workflow_dispatch)
+  # Job 4: Manual trigger analysis (only runs on workflow_dispatch)
   manual-analysis:
-    name: 'Manual Analysis with Custom Packs'
+    name: 'Manual Analysis with Custom Configuration'
     if: github.event_name == 'workflow_dispatch'
     uses: ./.github/workflows/codeql-reusable.yml
     with:
@@ -72,6 +101,9 @@ jobs:
       query-packs: ${{ github.event.inputs.custom-query-packs }}
       query-suite: ${{ github.event.inputs.query-suite }}
       java-version: '11'
+      # Use user-selected build mode
+      build-mode: ${{ github.event.inputs.build-mode }}
+      build-command: ${{ github.event.inputs.custom-build-command }}
       # Enable debug logging for manual analysis to help with troubleshooting
       debug-logging: true
     secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
index abb13db..1316cf2 100644
--- a/.github/workflows/codeql-reusable.yml
+++ b/.github/workflows/codeql-reusable.yml
@@ -3,6 +3,12 @@ name: 'CodeQL Analysis - Reusable Workflow'
 # This is a reusable workflow that performs CodeQL analysis on Java code.
 # It accepts query pack suggestions as input parameters, allowing calling
 # workflows to specify additional security queries to run beyond the defaults.
+#
+# Key Features:
+# - Configurable build modes: "none" (default), "autobuild", or "manual"
+# - Custom query pack support
+# - Flexible build configuration
+# - Debug logging options
 
 on:
   workflow_call:
@@ -28,9 +34,16 @@ on:
         type: string
         default: 'security-extended'
       
-      # Build command override (optional)
+      # Build mode configuration
+      build-mode:
+        description: 'CodeQL build mode: "none" (no build needed - fastest, recommended for Java/C#), "autobuild" (automatic detection), or "manual" (requires build-command)'
+        required: false
+        type: string
+        default: 'none'
+      
+      # Build command (only used when build-mode is "manual")
       build-command:
-        description: 'Custom build command (if not provided, will use auto-build)'
+        description: 'Custom build command (only used when build-mode is "manual")'
         required: false
         type: string
         default: ''
@@ -85,29 +98,44 @@ jobs:
           queries: ${{ inputs.query-suite }}
           # Add query packs if specified
           packs: ${{ inputs.query-packs }}
+          # Set build mode based on input parameter
+          build-mode: ${{ inputs.build-mode }}
         env:
           # Increase memory for CodeQL analysis
           CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"interpret-results": {"max-paths": 4}}}'
 
-      # Step 4: Build the application
+      # Step 4: Build the application (only for manual build mode)
       - name: 'Build application'
+        if: inputs.build-mode == 'manual'
         run: |
           if [ -n "${{ inputs.build-command }}" ]; then
             echo "Using custom build command: ${{ inputs.build-command }}"
             ${{ inputs.build-command }}
           else
-            echo "Using auto-build for Java project"
+            echo "Manual build mode selected but no build command provided, attempting auto-detection"
             if [ -f "pom.xml" ]; then
-              echo "Detected Maven project"
+              echo "Detected Maven project - using default Maven build"
               mvn clean compile -DskipTests
             elif [ -f "build.gradle" ] || [ -f "build.gradle.kts" ]; then
-              echo "Detected Gradle project" 
+              echo "Detected Gradle project - using default Gradle build"
               ./gradlew build -x test
             else
-              echo "No recognized build file found, using CodeQL autobuild"
+              echo "No recognized build file found - cannot build in manual mode"
+              exit 1
             fi
           fi
 
+      # Step 4b: Build note for other build modes
+      - name: 'Build mode information'
+        if: inputs.build-mode != 'manual'
+        run: |
+          if [ "${{ inputs.build-mode }}" == "none" ]; then
+            echo "Using build mode 'none' - CodeQL will analyze without building the project"
+            echo "This is recommended for compiled languages like Java and C# when source code analysis is sufficient"
+          elif [ "${{ inputs.build-mode }}" == "autobuild" ]; then
+            echo "Using build mode 'autobuild' - CodeQL will automatically detect and build the project"
+          fi
+
       # Step 5: Perform CodeQL Analysis
       - name: 'Perform CodeQL Analysis'
         uses: github/codeql-action/analyze@v3
diff --git a/README.md b/README.md
index a5e69e3..589ca7e 100644
--- a/README.md
+++ b/README.md
@@ -55,15 +55,52 @@ A flexible, reusable workflow that:
 - `query-suite`: CodeQL query suite to use
 - `language`: Programming language (default: java)
 - `java-version`: Java version for builds (default: 11)
-- `build-command`: Custom build command override
+- `build-mode`: CodeQL build mode - "none", "autobuild", or "manual" (default: "none")
+- `build-command`: Custom build command (only used when build-mode is "manual")
 - `debug-logging`: Enable verbose debug logging (default: false)
 
 ### Calling Workflow (`.github/workflows/codeql-analysis.yml`)
 
-Demonstrates three different analysis approaches:
-1. **Standard Analysis**: Basic security scanning with default queries
-2. **Enhanced Analysis**: Additional query packs for comprehensive scanning
-3. **Manual Analysis**: User-triggered analysis with custom parameters
+Demonstrates four different analysis approaches:
+1. **Standard Analysis**: Basic security scanning using build mode "none" (default)
+2. **Enhanced Analysis**: Additional query packs with autobuild mode
+3. **Manual Build Analysis**: Custom build command with manual build mode
+4. **Manual Analysis**: User-triggered analysis with configurable build mode
+
+### Build Modes
+
+The reusable workflow supports three different CodeQL build modes:
+
+#### Build Mode: "none" (Default, Recommended)
+- **When to use**: For compiled languages like Java and C# when source code analysis is sufficient
+- **Benefits**: Faster analysis, no build dependencies required
+- **Example**: 
+```yaml
+uses: ./.github/workflows/codeql-reusable.yml
+with:
+  build-mode: 'none'  # Default - no build needed
+```
+
+#### Build Mode: "autobuild"
+- **When to use**: When you want CodeQL to automatically detect and build your project
+- **Benefits**: Automatic build detection, good for most standard projects
+- **Example**:
+```yaml
+uses: ./.github/workflows/codeql-reusable.yml
+with:
+  build-mode: 'autobuild'  # Let CodeQL build automatically
+```
+
+#### Build Mode: "manual"
+- **When to use**: When you need specific build commands or custom build configurations
+- **Benefits**: Full control over the build process
+- **Example**:
+```yaml
+uses: ./.github/workflows/codeql-reusable.yml
+with:
+  build-mode: 'manual'
+  build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true'
+```
 
 ## 🚀 Usage
 
diff --git a/examples/custom-workflow.yml b/examples/custom-workflow.yml
index 2b0615d..3768892 100644
--- a/examples/custom-workflow.yml
+++ b/examples/custom-workflow.yml
@@ -23,6 +23,8 @@ jobs:
       # Focus on critical security vulnerabilities
       query-packs: 'codeql/java-queries:cwe-089,codeql/java-queries:cwe-079,codeql/java-queries:cwe-078'
       java-version: '11'
+      # Use default build mode "none" for faster analysis
+      build-mode: 'none'
     secrets: inherit
 
   # Comprehensive analysis (scheduled and manual only)
@@ -36,6 +38,7 @@ jobs:
       # Include broader set of queries for comprehensive analysis
       query-packs: 'codeql/java-queries:security,codeql/java-queries:quality,codeql/java-queries:maintainability'
       java-version: '11'
-      # Use custom build for more thorough analysis
+      # Use manual build for more thorough analysis with custom build configuration
+      build-mode: 'manual'
       build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true -Dmaven.compiler.debuglevel=lines,vars,source'
     secrets: inherit
\ No newline at end of file
diff --git a/examples/query-pack-examples.md b/examples/query-pack-examples.md
index 2f7c2d3..3b8e901 100644
--- a/examples/query-pack-examples.md
+++ b/examples/query-pack-examples.md
@@ -77,8 +77,53 @@ query-packs: 'my-org/security-queries@1.2.0,codeql/java-queries:security'
 - Can target specific vulnerability types
 - Can include custom organizational packs
 
+## Build Modes
+
+CodeQL supports different build modes for compiled languages:
+
+### Build Mode: "none" (Recommended Default)
+```yaml
+uses: ./.github/workflows/codeql-reusable.yml
+with:
+  build-mode: 'none'
+```
+- **Best for**: Java, C#, and other compiled languages
+- **Performance**: Fastest analysis time
+- **Use case**: Source code analysis without compilation
+- **Dependencies**: No build tools required in the environment
+
+### Build Mode: "autobuild"
+```yaml
+uses: ./.github/workflows/codeql-reusable.yml
+with:
+  build-mode: 'autobuild'
+```
+- **Best for**: Standard projects with conventional build setups
+- **Performance**: Moderate analysis time
+- **Use case**: When CodeQL can automatically detect and build your project
+- **Dependencies**: Build tools must be available in the environment
+
+### Build Mode: "manual"
+```yaml
+uses: ./.github/workflows/codeql-reusable.yml
+with:
+  build-mode: 'manual'
+  build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true'
+```
+- **Best for**: Custom build configurations, complex projects
+- **Performance**: Variable (depends on build complexity)
+- **Use case**: When you need full control over the build process
+- **Dependencies**: All build dependencies must be configured
+
 ## Best Practices
 
+### Build Mode Selection
+1. **Start with "none"**: For Java/C# projects, begin with build mode "none"
+2. **Use "autobuild"**: If "none" doesn't provide sufficient analysis coverage
+3. **Choose "manual"**: Only when you need specific build configurations
+4. **Performance**: "none" > "autobuild" > "manual" in terms of speed
+
+### Query Pack Selection
 1. **Start Simple**: Begin with `security-extended` suite
 2. **Add Gradually**: Add specific query packs as needed  
 3. **Performance**: More queries = longer analysis time

From 596253822bfae222e6c20c3ee784ac71db45eab2 Mon Sep 17 00:00:00 2001
From: Mickey Gousset <mickeygousset@github.com>
Date: Fri, 26 Sep 2025 09:07:33 -0500
Subject: [PATCH 05/10] Disable enhanced and manual build analysis jobs

Comment out enhanced and manual build analysis jobs in CodeQL workflow.
---
 .github/workflows/codeql-analysis.yml | 52 +++++++++++++--------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index ca48a81..b683761 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -63,33 +63,33 @@ jobs:
     secrets: inherit
 
   # Job 2: Enhanced analysis with autobuild mode
-  enhanced-analysis:
-    name: 'Enhanced Security Analysis (Build Mode: Autobuild)'
-    uses: ./.github/workflows/codeql-reusable.yml
-    with:
-      language: 'java'
-      # Specify additional query packs for more comprehensive analysis
-      # These packs focus on specific vulnerability types
-      query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
-      query-suite: 'security-and-quality'
-      java-version: '11'
-      # Use autobuild mode - let CodeQL automatically build the project
-      build-mode: 'autobuild'
-    secrets: inherit
+  #enhanced-analysis:
+  #  name: 'Enhanced Security Analysis (Build Mode: Autobuild)'
+  #  uses: ./.github/workflows/codeql-reusable.yml
+  #  with:
+  #    language: 'java'
+  #    # Specify additional query packs for more comprehensive analysis
+  #    # These packs focus on specific vulnerability types
+  #    query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
+  #    query-suite: 'security-and-quality'
+  #    java-version: '11'
+  #    # Use autobuild mode - let CodeQL automatically build the project
+  #    build-mode: 'autobuild'
+  #  secrets: inherit
 
   # Job 3: Manual build with custom build command
-  manual-build-analysis:
-    name: 'Manual Build Analysis (Build Mode: Manual)'
-    uses: ./.github/workflows/codeql-reusable.yml
-    with:
-      language: 'java'
-      query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089'
-      query-suite: 'security-extended'
-      java-version: '11'
-      # Use manual build mode with custom build command
-      build-mode: 'manual'
-      build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true'
-    secrets: inherit
+  #manual-build-analysis:
+  #  name: 'Manual Build Analysis (Build Mode: Manual)'
+  #  uses: ./.github/workflows/codeql-reusable.yml
+  #  with:
+  #    language: 'java'
+  #    query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089'
+  #    query-suite: 'security-extended'
+  #    java-version: '11'
+  #    # Use manual build mode with custom build command
+  #    build-mode: 'manual'
+  #    build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true'
+  #  secrets: inherit
 
   # Job 4: Manual trigger analysis (only runs on workflow_dispatch)
   manual-analysis:
@@ -106,4 +106,4 @@ jobs:
       build-command: ${{ github.event.inputs.custom-build-command }}
       # Enable debug logging for manual analysis to help with troubleshooting
       debug-logging: true
-    secrets: inherit
\ No newline at end of file
+    secrets: inherit

From 9edddcf3a2f3483780571750ff0fe88aff56b0d2 Mon Sep 17 00:00:00 2001
From: Mickey Gousset <mickeygousset@github.com>
Date: Fri, 26 Sep 2025 09:10:43 -0500
Subject: [PATCH 06/10] Update CodeQL analysis configuration for Java

---
 .github/workflows/codeql-analysis.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b683761..36b6ed0 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -55,7 +55,11 @@ jobs:
     uses: ./.github/workflows/codeql-reusable.yml
     with:
       language: 'java'
-      query-suite: 'security-extended'
+      #query-suite: 'security-extended'
+      # Specify additional query packs for more comprehensive analysis
+      # These packs focus on specific vulnerability types
+      query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
+      query-suite: 'security-and-quality'
       java-version: '11'
       # Use default build mode "none" - no explicit build needed
       build-mode: 'none'

From 319bb7b1fd635970600a7b79b0f9aba2da77ee56 Mon Sep 17 00:00:00 2001
From: Mickey Gousset <mickeygousset@github.com>
Date: Fri, 26 Sep 2025 09:23:59 -0500
Subject: [PATCH 07/10] Update codeql-reusable.yml

---
 .github/workflows/codeql-reusable.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
index 1316cf2..ef7c0cd 100644
--- a/.github/workflows/codeql-reusable.yml
+++ b/.github/workflows/codeql-reusable.yml
@@ -89,6 +89,11 @@ jobs:
           distribution: 'temurin'
           cache: 'maven'
 
+      # Step 2.5 : Debugging
+      - name: Debugging
+        run: |
+          ls -al /opt/hostedtoolcache/CodeQL/2.23.1/x64/codeql/qlpacks/codeql/java-queries/1.8.0
+
       # Step 3: Initialize CodeQL with specified configuration
       - name: 'Initialize CodeQL'
         uses: github/codeql-action/init@v3
@@ -157,4 +162,4 @@ jobs:
           path: |
             ${{ runner.temp }}/codeql_databases/
             !${{ runner.temp }}/codeql_databases/**/*.zip
-          retention-days: 30
\ No newline at end of file
+          retention-days: 30

From efc00eeca4651c443e5aee6bf4021028d65183ac Mon Sep 17 00:00:00 2001
From: Mickey Gousset <mickeygousset@github.com>
Date: Fri, 26 Sep 2025 09:43:32 -0500
Subject: [PATCH 08/10] Update CodeQL query packs for Java analysis

---
 .github/workflows/codeql-analysis.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 36b6ed0..34cacee 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -58,8 +58,8 @@ jobs:
       #query-suite: 'security-extended'
       # Specify additional query packs for more comprehensive analysis
       # These packs focus on specific vulnerability types
-      query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
-      query-suite: 'security-and-quality'
+      query-packs: 'codeql/java-queries@1.8.0'
+      #query-suite: 'security-and-quality'
       java-version: '11'
       # Use default build mode "none" - no explicit build needed
       build-mode: 'none'

From 4f064713e6e9ee4fde2f70df39a16e5597a8533e Mon Sep 17 00:00:00 2001
From: Mickey Gousset <mickeygousset@github.com>
Date: Fri, 26 Sep 2025 09:44:54 -0500
Subject: [PATCH 09/10] Disable debugging step in codeql-reusable.yml

Comment out debugging step in CodeQL workflow
---
 .github/workflows/codeql-reusable.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
index ef7c0cd..cd65f64 100644
--- a/.github/workflows/codeql-reusable.yml
+++ b/.github/workflows/codeql-reusable.yml
@@ -90,9 +90,9 @@ jobs:
           cache: 'maven'
 
       # Step 2.5 : Debugging
-      - name: Debugging
-        run: |
-          ls -al /opt/hostedtoolcache/CodeQL/2.23.1/x64/codeql/qlpacks/codeql/java-queries/1.8.0
+      #- name: Debugging
+      #  run: |
+      #    ls -al /opt/hostedtoolcache/CodeQL/2.23.1/x64/codeql/qlpacks/codeql/java-queries/1.8.0
 
       # Step 3: Initialize CodeQL with specified configuration
       - name: 'Initialize CodeQL'

From 54263345bbb1f6394598527361a8b67df2952fd6 Mon Sep 17 00:00:00 2001
From: Mickey Gousset <mickeygousset@github.com>
Date: Fri, 26 Sep 2025 10:01:23 -0500
Subject: [PATCH 10/10] Comment out queries input in CodeQL workflow

Comment out the queries input to prioritize custom pack usage.
---
 .github/workflows/codeql-reusable.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
index cd65f64..21ad59a 100644
--- a/.github/workflows/codeql-reusable.yml
+++ b/.github/workflows/codeql-reusable.yml
@@ -100,7 +100,9 @@ jobs:
         with:
           languages: ${{ inputs.language }}
           # Use the specified query suite
-          queries: ${{ inputs.query-suite }}
+          # I AM COMMENTING THIS OUT TO MAKE SURE IT ONLY USES MY PACK. THIS WILL BREAK OTHER THINGS THAT USE THIS PARAM
+          # ULTIMATELY I SHOULD UPDATE MY CODE TO HANDLE THE SCENARIO
+          # queries: ${{ inputs.query-suite }}
           # Add query packs if specified
           packs: ${{ inputs.query-packs }}
           # Set build mode based on input parameter