Create Java application with intentional vulnerabilities and CodeQL autobuild workflow

[Copilot]

This PR implements a comprehensive Java application designed to demonstrate CodeQL security scanning capabilities, featuring multiple intentional vulnerabilities across different security categories.

Application Overview

The application is built with Maven and includes a multi-package structure demonstrating various security vulnerability patterns:

• Main Application (com.example.app.VulnerableApplication) - Entry point that exercises all vulnerability types
• Database Layer (com.example.database.UserDatabase) - SQL injection vulnerabilities through string concatenation
• Security Utils (com.example.security.CryptoUtils) - Weak cryptographic implementations including MD5 and insecure randomness
• File/Web Controller (com.example.web.FileController) - Path traversal and command injection vulnerabilities
• LDAP Authentication (com.example.ldap.LdapAuth) - LDAP injection through unescaped filter construction

Vulnerability Categories Implemented

The application includes the following intentional security vulnerabilities designed to trigger CodeQL alerts:

SQL Injection

// Direct string concatenation in queries
String query = "SELECT * FROM users WHERE username = '" + username + "'";
stmt.executeQuery(query);

Command Injection

// Unsanitized user input to system commands
Process process = Runtime.getRuntime().exec("sh -c " + userCommand);

Path Traversal

// File operations without path validation
File file = new File(BASE_DIR + filename); // Allows ../../../etc/passwd

LDAP Injection

// Unescaped LDAP filter construction
String filter = "(&(uid=" + username + ")(userPassword=" + password + "))";

Weak Cryptography & Security

• MD5 hash usage for password storage
• java.util.Random for security-sensitive token generation
• Hard-coded encryption keys and database credentials

CodeQL Workflow Configuration

Added .github/workflows/codeql-analysis.yml with the following features:

• Autobuild Functionality - Automatically detects and builds the Maven project
• Comprehensive Query Set - Uses +security-and-quality queries for maximum coverage
• Multiple Triggers - Runs on push, pull requests, and weekly schedule
• Latest Actions - Uses CodeQL v3 actions for improved performance and security

The workflow is configured to use Java 11 with the Temurin distribution and includes proper permissions for security event publishing.

Project Structure

├── .github/workflows/codeql-analysis.yml  # CodeQL scanning workflow
├── pom.xml                                # Maven configuration
├── src/main/java/com/example/
│   ├── app/VulnerableApplication.java     # Main application
│   ├── database/UserDatabase.java        # SQL injection demos
│   ├── security/CryptoUtils.java         # Weak crypto demos
│   ├── web/FileController.java           # Path traversal & command injection
│   └── ldap/LdapAuth.java               # LDAP injection demos
└── src/test/java/com/example/            # Unit tests

Testing & Validation

The application successfully:

• Compiles with mvn clean compile
• Passes all unit tests with mvn test
• Runs demonstrating all vulnerability patterns
• Includes proper .gitignore for Maven projects

Security Notice

⚠️ This application contains intentional security vulnerabilities for educational and demonstration purposes only. It should never be deployed in a production environment.

The implementation serves as a comprehensive test case for CodeQL's ability to detect various categories of security vulnerabilities in Java applications using the autobuild functionality.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/devopselvis/devopselvis%2Fcoding-agent-example-java-codeql-autobuild/languages
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Create a simple java application and associated code scanning workflow</issue_title>
<issue_description>Create a simple java application. It should have several packages that it uses, and at least one of the packages should throw a critical or high codeql alert.

Also create a github actions workflow file that will scan the java application using codeql. The workflow should use the autobuild functionality.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #1

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[mickeygousset]

LGTM

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

To fix the problem, all SQL queries using user input must be refactored to use parameterized/prepared statements rather than direct string concatenation. Specifically for the error on line 32 (and similar patterns elsewhere), the query should be changed to include ? placeholders for inputs, and then the input values set using the appropriate setString methods before execution. This means changing the authenticateUser method to use a PreparedStatement, constructing the query as "SELECT * FROM users WHERE username = ? AND password = ?", then setting the values for both placeholders using setString(1, username) and setString(2, password) respectively. Similar changes should be made to the other methods (updateUserProfile, deleteUser) to replace concatenated statements with parameterized queries, using PreparedStatement and passing the variables safely to the SQL engine.

Changes should occur only in code snippets shown (within src/main/java/com/example/database/UserDatabase.java), and only in the affected methods. Additional required imports (for PreparedStatement) should also be added. Functionality is preserved: the logic now runs with safe, parameterized queries.

General fix:
Avoid direct concatenation of potentially untrusted input into SQL queries. Instead, use prepared statements, with parameter placeholders (?) for each value derived from user input, and provide those values with the appropriate setter methods (e.g., setString, setInt).

Detailed description:
Replace the creation of the Statement with a PreparedStatement. Change the construction of updateQuery from using concatenation, to using a parameterized SQL statement with question mark placeholders for email, fullName, and userId. Replace the call to stmt.executeUpdate(updateQuery) with the use of the PreparedStatement, after setting its parameters in the correct order with .setString() or the appropriate setter. Remember to close the PreparedStatement instead of the old Statement.

What needs to be changed:

• Replace creation of Statement stmt = conn.createStatement() with a PreparedStatement with parameters.
• Rewrite the SQL to use ? placeholders.
• Set each parameter using the relevant setter.
• Replace uses of stmt with preparedStatement as appropriate.
• Close the PreparedStatement.
• Add import for java.sql.PreparedStatement at the top if not present.

To fix the detected problem, we should replace the use of MD5 in the hashPassword method with a strong, modern password-hashing approach. The best practice in 2024 is to use a dedicated password hashing algorithm such as PBKDF2 with HMAC SHA-256, bcrypt, or Argon2. Since we are limited to the provided code snippet and can only introduce standard library imports, we should use PBKDF2 from the Java standard library (javax.crypto.SecretKeyFactory, javax.crypto.spec.PBEKeySpec) to hash passwords.

Thus, in CryptoUtils.java, update the hashPassword method to use PBKDF2WithHmacSHA256. Generate a random salt per password hash (so the hash is unique for each input) – but as we are limited in code scope and do not have storage/retrieval, for demonstration purposes we’ll use a hardcoded salt. (In real usage, you should always use a random salt per password.)

You need to:

• Add the required imports.
• Update the hashPassword implementation to use PBKDF2WithHmacSHA256, with a hardcoded salt and reasonable iteration count/key length.
• The returned hash should be hex-encoded as before.

The best way to fix the issue is to specify the absolute path to the shell interpreter ("sh") when executing a command via Runtime.getRuntime().exec. This means replacing "sh -c " + userCommand with "/bin/sh -c " + userCommand, to ensure that it explicitly runs the trusted system shell.

If sh could be located in a different directory on some installations, consider allowing the shell path to be configurable, but by default it should use a hardcoded trusted absolute path. In this particular code, since only the relative path "sh" is used, and the background recommends absolute paths, we should change line 81 to use "/bin/sh".

No additional imports or methods are needed for this particular change.

Edit required:

• src/main/java/com/example/web/FileController.java line 81:
  • Change "sh -c " + userCommand to "/bin/sh -c " + userCommand"

To fix this problem, the BufferedReader reader = ... block and subsequent code should be wrapped in a try-with-resources statement so that the reader (and the stream it wraps) is always closed, even if an error occurs. This matches the best practice already used elsewhere in this file (e.g., in methods on lines 34—41 and 84—91).

Specifically, replace lines 110–115 such that:

• BufferedReader reader = ... becomes a try-with-resources statement, like try (BufferedReader reader = ...) { ... }.
• The closing curly brace comes after the read loop, so that the resource is properly closed after use.
  No extra imports or extra methods are required; all existing imports suffice.

[mickeygousset]

@copilot

What do I need to do to get the dependencies to show up in the dependency graph

[Copilot]

@copilot

What do I need to do to get the dependencies to show up in the dependency graph
...

For Maven dependencies to show up in GitHub's dependency graph, the following should be in place:

1. pom.xml at repository root - ✅ Already present
2. Dependency graph feature enabled - This is enabled by default for public repositories
3. Wait for initial scan - GitHub scans the repository after each push to detect dependency files

The dependency graph should populate automatically since your pom.xml is at the root level. If you're not seeing dependencies yet:

• Check the "Insights" → "Dependency graph" tab in your repository
• Ensure the repository visibility allows dependency graph (public repos or GitHub Advanced Security for private)
• Wait a few minutes after the first push for GitHub to scan and process the pom.xml

Your current pom.xml includes all the standard Maven dependencies (Guava, SLF4J, Commons Lang3, MySQL Connector, Spring Web, Jackson, JUnit) which should all appear in the dependency graph once GitHub processes the file.