devopselvis · Copilot · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,58 @@
+name: 'Continuous Integration'
+
+# Simple CI workflow to build and test the Java application
+# This runs independently of CodeQL analysis
+
+on:
+  push:
+    branches: [ "main", "develop" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build-and-test:
+    name: 'Build and Test'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@v4
+
+      - name: 'Set up Java 11'
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: 'Build application'
+        run: |
+          mvn clean compile
+          echo "✅ Application built successfully"
+
+      - name: 'Run basic validation'
+        run: |
+          # Check that main classes were compiled
+          if [ -f "target/classes/com/example/demo/DemoApplication.class" ]; then
+            echo "✅ Main application class compiled"
+          else
+            echo "❌ Main application class not found"
+            exit 1
+          fi
+
+          if [ -f "target/classes/com/example/demo/VulnerableController.class" ]; then
+            echo "✅ Vulnerable controller compiled (contains security issues for demo)"
+          else
+            echo "❌ Vulnerable controller not found"
+            exit 1
+          fi
+
+      - name: 'Run tests'
+        run: |
+          mvn test
+          echo "✅ Tests completed successfully"
+
+      - name: 'Package application'
+        run: |
+          mvn package -DskipTests
+          echo "✅ Application packaged successfully"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,113 @@
+name: 'CodeQL Security Analysis'
+
+# This workflow demonstrates how to call the reusable CodeQL workflow
+# and pass custom query packs for enhanced security scanning.
+
+on:
+  # Trigger on pushes to main branch
+  push:
+    branches: [ "main", "develop" ]
+
+  # Trigger on pull requests to main branch  
+  pull_request:
+    branches: [ "main" ]
+
+  # Allow manual triggering
+  workflow_dispatch:
+    inputs:
+      custom-query-packs:
+        description: 'Additional query packs to run (comma-separated)'
+        required: false
+        default: ''
+      query-suite:
+        description: 'Query suite to use'
+        required: false
+        default: 'security-extended'
+        type: choice
+        options:
+          - 'default'
+          - 'security-extended' 
+          - 'security-and-quality'
+      build-mode:
+        description: 'Build mode to use'
+        required: false
+        default: 'none'
+        type: choice
+        options:
+          - 'none'
+          - 'autobuild'
+          - 'manual'
+      custom-build-command:
+        description: 'Custom build command (only used with manual build mode)'
+        required: false
+        default: ''
+
+# Set permissions for the workflow
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  # Job 1: Standard CodeQL analysis with build mode "none" (default)
+  standard-analysis:
+    name: 'Standard Security Analysis (Build Mode: None)'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      #query-suite: 'security-extended'
+      # Specify additional query packs for more comprehensive analysis
+      # These packs focus on specific vulnerability types
+      query-packs: 'codeql/java-queries@1.8.0'
+      #query-suite: 'security-and-quality'
+      java-version: '11'
+      # Use default build mode "none" - no explicit build needed
+      build-mode: 'none'
+    # Pass secrets if needed (none required for this demo)
+    secrets: inherit
+
+  # Job 2: Enhanced analysis with autobuild mode
+  #enhanced-analysis:
+  #  name: 'Enhanced Security Analysis (Build Mode: Autobuild)'
+  #  uses: ./.github/workflows/codeql-reusable.yml
+  #  with:
+  #    language: 'java'
+  #    # Specify additional query packs for more comprehensive analysis
+  #    # These packs focus on specific vulnerability types
+  #    query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089,codeql/java-queries:cwe-078'
+  #    query-suite: 'security-and-quality'
+  #    java-version: '11'
+  #    # Use autobuild mode - let CodeQL automatically build the project
+  #    build-mode: 'autobuild'
+  #  secrets: inherit
+
+  # Job 3: Manual build with custom build command
+  #manual-build-analysis:
+  #  name: 'Manual Build Analysis (Build Mode: Manual)'
+  #  uses: ./.github/workflows/codeql-reusable.yml
+  #  with:
+  #    language: 'java'
+  #    query-packs: 'codeql/java-queries:cwe-079,codeql/java-queries:cwe-089'
+  #    query-suite: 'security-extended'
+  #    java-version: '11'
+  #    # Use manual build mode with custom build command
+  #    build-mode: 'manual'
+  #    build-command: 'mvn clean compile -DskipTests -Dmaven.compiler.debug=true'
+  #  secrets: inherit
+
+  # Job 4: Manual trigger analysis (only runs on workflow_dispatch)
+  manual-analysis:
+    name: 'Manual Analysis with Custom Configuration'
+    if: github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/codeql-reusable.yml
+    with:
+      language: 'java'
+      query-packs: ${{ github.event.inputs.custom-query-packs }}
+      query-suite: ${{ github.event.inputs.query-suite }}
+      java-version: '11'
+      # Use user-selected build mode
+      build-mode: ${{ github.event.inputs.build-mode }}
+      build-command: ${{ github.event.inputs.custom-build-command }}
+      # Enable debug logging for manual analysis to help with troubleshooting
+      debug-logging: true
+    secrets: inherit
diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
@@ -0,0 +1,167 @@
+name: 'CodeQL Analysis - Reusable Workflow'
+
+# This is a reusable workflow that performs CodeQL analysis on Java code.
+# It accepts query pack suggestions as input parameters, allowing calling
+# workflows to specify additional security queries to run beyond the defaults.
+#
+# Key Features:
+# - Configurable build modes: "none" (default), "autobuild", or "manual"
+# - Custom query pack support
+# - Flexible build configuration
+# - Debug logging options
+
+on:
+  workflow_call:
+    inputs:
+      # Language to analyze (default: java)
+      language:
+        description: 'Programming language to analyze'
+        required: false
+        type: string
+        default: 'java'
+
+      # Query packs to use in addition to the default security queries
+      query-packs:
+        description: 'Comma-separated list of CodeQL query packs to use (e.g., "codeql/java-queries:cwe-079,codeql/java-queries:cwe-089")'
+        required: false
+        type: string
+        default: ''
+
+      # Query suite to use (options: default, security-extended, security-and-quality)
+      query-suite:
+        description: 'CodeQL query suite to use'
+        required: false
+        type: string
+        default: 'security-extended'
+
+      # Build mode configuration
+      build-mode:
+        description: 'CodeQL build mode: "none" (no build needed - fastest, recommended for Java/C#), "autobuild" (automatic detection), or "manual" (requires build-command)'
+        required: false
+        type: string
+        default: 'none'
+
+      # Build command (only used when build-mode is "manual")
+      build-command:
+        description: 'Custom build command (only used when build-mode is "manual")'
+        required: false
+        type: string
+        default: ''
+
+      # Java version to use
+      java-version:
+        description: 'Java version to use for build'
+        required: false
+        type: string
+        default: '11'
+
+      # Debug logging toggle
+      debug-logging:
+        description: 'Enable verbose debug logging for troubleshooting'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  codeql-analysis:
+    name: 'CodeQL Analysis'
+    runs-on: ubuntu-latest
+
+    # Required permissions for CodeQL analysis
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      # Step 1: Checkout the repository code
+      - name: 'Checkout repository'
+        uses: actions/checkout@v4
+        with:
+          # Fetch full history for better analysis
+          fetch-depth: 0
+
+      # Step 2: Set up Java environment
+      - name: 'Set up Java'
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ inputs.java-version }}
+          distribution: 'temurin'
+          cache: 'maven'
+
+      # Step 2.5 : Debugging
+      #- name: Debugging
+      #  run: |
+      #    ls -al /opt/hostedtoolcache/CodeQL/2.23.1/x64/codeql/qlpacks/codeql/java-queries/1.8.0
+
+      # Step 3: Initialize CodeQL with specified configuration
+      - name: 'Initialize CodeQL'
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ inputs.language }}
+          # Use the specified query suite
+          # I AM COMMENTING THIS OUT TO MAKE SURE IT ONLY USES MY PACK. THIS WILL BREAK OTHER THINGS THAT USE THIS PARAM
+          # ULTIMATELY I SHOULD UPDATE MY CODE TO HANDLE THE SCENARIO
+          # queries: ${{ inputs.query-suite }}
+          # Add query packs if specified
+          packs: ${{ inputs.query-packs }}
+          # Set build mode based on input parameter
+          build-mode: ${{ inputs.build-mode }}
+        env:
+          # Increase memory for CodeQL analysis
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"interpret-results": {"max-paths": 4}}}'
+
+      # Step 4: Build the application (only for manual build mode)
+      - name: 'Build application'
+        if: inputs.build-mode == 'manual'
+        run: |
+          if [ -n "${{ inputs.build-command }}" ]; then
+            echo "Using custom build command: ${{ inputs.build-command }}"
+            ${{ inputs.build-command }}
+          else
+            echo "Manual build mode selected but no build command provided, attempting auto-detection"
+            if [ -f "pom.xml" ]; then
+              echo "Detected Maven project - using default Maven build"
+              mvn clean compile -DskipTests
+            elif [ -f "build.gradle" ] || [ -f "build.gradle.kts" ]; then
+              echo "Detected Gradle project - using default Gradle build"
+              ./gradlew build -x test
+            else
+              echo "No recognized build file found - cannot build in manual mode"
+              exit 1
+            fi
+          fi
+
+      # Step 4b: Build note for other build modes
+      - name: 'Build mode information'
+        if: inputs.build-mode != 'manual'
+        run: |
+          if [ "${{ inputs.build-mode }}" == "none" ]; then
+            echo "Using build mode 'none' - CodeQL will analyze without building the project"
+            echo "This is recommended for compiled languages like Java and C# when source code analysis is sufficient"
+          elif [ "${{ inputs.build-mode }}" == "autobuild" ]; then
+            echo "Using build mode 'autobuild' - CodeQL will automatically detect and build the project"
+          fi
+
+      # Step 5: Perform CodeQL Analysis
+      - name: 'Perform CodeQL Analysis'
+        uses: github/codeql-action/analyze@v3
+        with:
+          # Upload results even if there are errors
+          upload: true
+          # Set analysis category for tracking
+          category: 'java-security-analysis'
+        env:
+          # Enable verbose logging for troubleshooting (configurable)
+          CODEQL_ACTION_DEBUG: ${{ inputs.debug-logging }}
+
+      # Step 6: Upload analysis results as artifacts (optional)
+      - name: 'Upload CodeQL results'
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: codeql-results-${{ inputs.language }}
+          path: |
+            ${{ runner.temp }}/codeql_databases/
+            !${{ runner.temp }}/codeql_databases/**/*.zip
+          retention-days: 30
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,42 @@
+# Maven build artifacts
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar
+
+# IDE files
+.idea/
+*.iml
+*.ipr
+*.iws
+.vscode/
+.settings/
+.project
+.classpath
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Temporary files
+*.tmp
+*.temp
+*.swp
+*.swo
+*~
+
+# Logs
+*.log
+logs/
+
+# Spring Boot
+application-*.properties
+application-*.yml
+!application.properties
+!application.yml