diff --git a/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql b/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql index 9ba9242a91..3417f1d524 100644 --- a/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql +++ b/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql @@ -1,8 +1,11 @@ -// by claude (Sonnet 4) /** * @name GDPR Data Processing Detection * @description Rileva possibili violazioni GDPR nel processing di dati personali + * @kind problem + * @id java/find-sql-queries + * @problem.severity recommendation + * @tags security */ import java diff --git a/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql b/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql index 0195e0b47e..11bab5d91d 100644 --- a/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql +++ b/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql @@ -8,12 +8,6 @@ * @problem.severity warning * @tags documentation * style - * - * Notes: - * - Configure requiredDocFragments with the strings (or regex fragments) that must appear in the Javadoc header according to your company template - * (for example: "Component:", "Owner:", "API:", "@since", "@deprecated", etc). - * - This query heuristically checks Javadoc text exposed by the CodeQL model. If your template is maintained as Markdown files, - * consider adding a separate query that inspects repository Markdown files under docs/ or the template repository. */ import java diff --git a/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql b/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql index 07387eba2b..ccd45472df 100644 --- a/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql +++ b/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql @@ -8,10 +8,6 @@ * @problem.severity warning * @tags architecture * design - * - * Notes: - * - Thresholds are conservative defaults; tune per project: - * methodsThreshold = 50, fieldsThreshold = 30, totalLocThreshold = 2000 */ import java diff --git a/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql b/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql index e6e20c9956..4a366803b7 100644 --- a/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql +++ b/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql @@ -6,6 +6,7 @@ * @kind problem * @id java/resource-leak-detection * @problem.severity warning + * @tags security */ import java diff --git a/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql b/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql index 828829d67c..f30085ffe7 100644 --- a/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql +++ b/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql @@ -14,14 +14,7 @@ import java from CatchClause cc where - // Il blocco catch è vuoto (non contiene statement) cc.getBlock().getNumStmt() = 0 and - - // Oppure contiene solo commenti (blocco con solo whitespace/commenti) not exists(Stmt s | s.getParent() = cc.getBlock()) and - - // Esclude catch di InterruptedException (spesso legittimo lasciarli vuoti) not cc.getVariable().getType().(RefType).hasQualifiedName("java.lang", "InterruptedException") - -select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti" - +select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti" \ No newline at end of file diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..2532251d0b --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,18 @@ +name: "Custom CodeQL Configuration" + +queries: + - uses: ./.codeql/custom-queries + +disable-default-queries: true + +# È necessario aggiungere almeno un'istruzione query, queries, o qlpack alla definizione della suite, altrimenti non verrà selezionata alcuna query. +# https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites + +# - query: path/to/query.ql +# - queries: path/to/queries/ +# - exclude: path/to/excluded-query.ql +# - include: another-suite.qls +# - tags: security + +# Attraverso i tags nei metadati delle query CodeQL puoi selezionare (includere o escludere) facilmente gruppi di query in una query suite. +# https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/ \ No newline at end of file diff --git a/.github/workflows/codeql-advanced-setup.yml b/.github/workflows/codeql-advanced-setup.yml deleted file mode 100644 index 693a94e1c1..0000000000 --- a/.github/workflows/codeql-advanced-setup.yml +++ /dev/null @@ -1,79 +0,0 @@ -#1) HEADER & TRIGGER -name: "Codeql Advanced Setup" - -on: - push: - branches: [ "custom_queries" ] - pull_request: - branches: [ "custom_queries" ] - -#2) CONFIGURAZIONE JOBS -jobs: - analyze: - name: Analyze Java - Conditional - runs-on: ubuntu-latest - -#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY - permissions: - security-events: write # Per scrivere risultati di sicurezza - packages: read # Per scaricare query pack CodeQL - actions: read # Per leggere altri workflow - contents: read # Per leggere il codice del repo - -#4) CHECKOUT - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Necessario per rilevare i file modificati - -#5) RILEVAMENTO FILE MODIFICATI - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v44 - with: - files: | - **/*.java - **/*.xml - **/*.properties - -#6) SETUP JAVA - CONDIZIONALE - - name: Setup Java - if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - cache: 'maven' - -#7) INITIALIZE CODEQL - CONDIZIONALE - - name: Initialize CodeQL - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/init@v3 - with: - languages: java-kotlin - build-mode: none - # queries: .codeql/custom-queries QUERY PERSONALIZZATE RIMOSSE - -#8) BUILD - CONDIZIONALE - RIMOSSO - -#9) ANALISI CODEQL - CONDIZIONALE - - name: Perform CodeQL Analysis - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/analyze@v3 - with: - category: "/language:java-kotlin" - -#10) SUMMARY - - name: Analysis Summary - if: steps.changed-files.outputs.any_changed == 'true' - run: | - echo "WebGoat CodeQL analysis completed" - echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" - echo "Language: java-kotlin" - - - name: No Changes Summary - if: steps.changed-files.outputs.any_changed == 'false' - run: | - echo "No Java/XML/Properties files changed" - echo "⏭CodeQL analysis skipped for performance" diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml new file mode 100644 index 0000000000..e6596bdbd3 --- /dev/null +++ b/.github/workflows/codeql-no-diff.yml @@ -0,0 +1,63 @@ +#1) HEADER & TRIGGER +name: "Codeql on PR / Total Scan" + +on: + pull_request: + branches: [ "main", ] + +#2) CONFIGURAZIONE JOBS +jobs: + analyze: + name: Analyze Java - Total no Diff + runs-on: ubuntu-latest + +#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY + permissions: + security-events: write # Per scrivere risultati di sicurezza + packages: read # Per scaricare query pack CodeQL + actions: read # Per leggere altri workflow + contents: read # Per leggere il codice del repo + +#4) CHECKOUT + steps: + - name: Checkout repository + uses: actions/checkout@v4 + +#5) SETUP JAVA + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '21' + +#6) INITIALIZE CODEQL + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: java-kotlin + build-mode: none + config-file: ./.github/codeql/codeql-config.yml + +#7) ANALISI CODEQL + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + +#8) DEBUG + - name: Debug SARIF Path + run: find /home/runner/work/WebGoat/ -name "*.sarif" + +#9) UPLOAD SARIF E CREAZIONE ARTIFACT + - name: Upload SARIF + uses: actions/upload-artifact@v4 + with: + name: sarif-report + path: /home/runner/work/WebGoat/results/java.sarif + +#10) SUMMARY + - name: Analysis Summary + run: | + echo "WebGoat CodeQL analysis completed" + echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" + echo "Language: java-kotlin" + + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..aaff069fd0 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,111 @@ + +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. + +#1) HEADER & TRIGGER +name: "Codeql on PR / Conditional Scan NEW" + +on: + pull_request: + branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] + +#2) CONFIGURAZIONE JOBS +jobs: + analyze: + name: Analyze Java - Conditional + runs-on: ubuntu-latest + +#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY + permissions: + security-events: write # Per scrivere risultati di sicurezza + packages: read # Per scaricare query pack CodeQL + actions: read # Per leggere altri workflow + contents: read # Per leggere il codice del repo + +#4) CHECKOUT + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Necessario per rilevare i file modificati + +#5) RILEVAMENTO FILE MODIFICATI + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v44 # https://github.com/tj-actions/changed-files + with: + files: | + **/*.java + **/*.xml + **/*.properties + +#6) SETUP JAVA - CONDIZIONALE + - name: Setup Java + if: steps.changed-files.outputs.any_changed == 'true' + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '21' + +#7) INITIALIZE CODEQL - CONDIZIONALE + - name: Initialize CodeQL + if: steps.changed-files.outputs.any_changed == 'true' + uses: github/codeql-action/init@v3 + with: + languages: java-kotlin + build-mode: none + config-file: ./.github/codeql/codeql-config.yml + # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs + + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + +#8) BUILD MANUALE - CONDIZIONALE + # - name: Build WebGoat - Full Project + # if: steps.changed-files.outputs.any_changed == 'true' + # run: | + # echo "Building complete WebGoat project..." + # mvn clean compile -DskipTests -q + # echo "Build completed successfully" + +#9) ANALISI CODEQL - CONDIZIONALE + - name: Perform CodeQL Analysis + if: steps.changed-files.outputs.any_changed == 'true' + uses: github/codeql-action/analyze@v3 + +#10) DEBUG + - name: Debug SARIF Path + if: steps.changed-files.outputs.any_changed == 'true' + run: find /home/runner/work/WebGoat/ -name "*.sarif" + +#11) UPLOAD SARIF E CREAZIONE ARTIFACT + - name: Upload SARIF + if: steps.changed-files.outputs.any_changed == 'true' + uses: actions/upload-artifact@v4 + with: + name: sarif-report + path: /home/runner/work/WebGoat/results/java.sarif + +#12) SUMMARY + - name: Analysis Summary + if: steps.changed-files.outputs.any_changed == 'true' + run: | + echo "WebGoat CodeQL analysis completed" + echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" + echo "Language: java-kotlin" + + - name: No Changes Summary + if: steps.changed-files.outputs.any_changed == 'false' + run: | + echo "No Java/XML/Properties files changed" + echo "⏭CodeQL analysis skipped for performance" + diff --git a/.github/workflows/codeql_conditional_scan.yml b/.github/workflows/codeql_conditional_scan.yml deleted file mode 100644 index 4d7d22991d..0000000000 --- a/.github/workflows/codeql_conditional_scan.yml +++ /dev/null @@ -1,79 +0,0 @@ -#1) HEADER & TRIGGER -name: "Codeql on Push & PR / Conditional Scan" - -on: - push: - branches: [ "custom_queries" ] - pull_request: - branches: [ "custom_queries" ] - -#2) CONFIGURAZIONE JOBS -jobs: - analyze: - name: Analyze Java - Conditional - runs-on: ubuntu-latest - -#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY - permissions: - security-events: write # Per scrivere risultati di sicurezza - packages: read # Per scaricare query pack CodeQL - actions: read # Per leggere altri workflow - contents: read # Per leggere il codice del repo - -#4) CHECKOUT - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Necessario per rilevare i file modificati - -#5) RILEVAMENTO FILE MODIFICATI - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v44 - with: - files: | - **/*.java - **/*.xml - **/*.properties - -#6) SETUP JAVA - CONDIZIONALE - - name: Setup Java - if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - # cache: 'maven' NON SERVE CON BUILD-MODE: NONE - -#7) INITIALIZE CODEQL - CONDIZIONALE - - name: Initialize CodeQL - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/init@v3 - with: - languages: java-kotlin - build-mode: none - queries: .codeql/custom-queries - -#8) BUILD MANUALE ELIMINATA - -#9) ANALISI CODEQL - CONDIZIONALE - - name: Perform CodeQL Analysis - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/analyze@v3 - with: - category: "/language:java-kotlin" - -#10) SUMMARY - - name: Analysis Summary - if: steps.changed-files.outputs.any_changed == 'true' - run: | - echo "WebGoat CodeQL analysis completed" - echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" - echo "Language: java-kotlin" - - - name: No Changes Summary - if: steps.changed-files.outputs.any_changed == 'false' - run: | - echo "No Java/XML/Properties files changed" - echo "⏭CodeQL analysis skipped for performance" diff --git a/.gitignore b/.gitignore index 0520a6844e..93060d1134 100644 --- a/.gitignore +++ b/.gitignore @@ -70,4 +70,4 @@ node_modules/ echo target/ >> .gitignore echo *.log >> .gitignore -echo .DS_Store >> .gitignore \ No newline at end of file +echo .DS_Store >> .gitignore diff --git a/codeql-custom-queries-java/codeql-pack.lock.yml b/codeql-custom-queries-java/codeql-pack.lock.yml new file mode 100644 index 0000000000..5300427457 --- /dev/null +++ b/codeql-custom-queries-java/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/codeql-custom-queries-java/codeql-pack.yml b/codeql-custom-queries-java/codeql-pack.yml new file mode 100644 index 0000000000..6ea72304bf --- /dev/null +++ b/codeql-custom-queries-java/codeql-pack.yml @@ -0,0 +1,8 @@ +--- +library: false +warnOnImplicitThis: false +compileForOverlayEval: false +name: getting-started/codeql-extra-queries-java +version: 1.0.0 +dependencies: + codeql/java-all: ^7.7.0 diff --git a/src/it/java/org/owasp/webgoat/ServerUrlConfig.java b/src/it/java/org/owasp/webgoat/ServerUrlConfig.java index 30b5b29f8f..e363d69944 100644 --- a/src/it/java/org/owasp/webgoat/ServerUrlConfig.java +++ b/src/it/java/org/owasp/webgoat/ServerUrlConfig.java @@ -7,7 +7,7 @@ public record ServerUrlConfig(String host, String port, String contextPath) { public ServerUrlConfig { - contextPath = contextPath.replaceAll("/", ""); + contextPath = contextPath.replaceAll("/", ""); //error } public String getBaseUrl() { diff --git a/src/main/java/org/dummy/insecure/framework/ExampleVulnerableClass.java b/src/main/java/org/dummy/insecure/framework/ExampleVulnerableClass.java new file mode 100644 index 0000000000..b2cb18a613 --- /dev/null +++ b/src/main/java/org/dummy/insecure/framework/ExampleVulnerableClass.java @@ -0,0 +1,6 @@ +package org.dummy.insecure.framework; + +public class ExampleVulnerableClass { + // Vulnerable code example + private String password = "SuperSecret123!"; +} \ No newline at end of file diff --git a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java index b5cad9cc56..7646633193 100644 --- a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java +++ b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java @@ -59,6 +59,13 @@ private void readObject(ObjectInputStream stream) throws Exception { throw new IllegalArgumentException("outdated"); } + try { + // some code that may throw an exception + int x = 1 / 0; + } catch (ArithmeticException e) { + // Empty catch block: this will be detected as a vulnerability + } + // condition is here to prevent you from destroying the goat altogether if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping")) && taskAction.length() < 22) { diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java index 735d9f1e42..7ad771436b 100644 --- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java +++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java @@ -9,6 +9,8 @@ import java.io.IOException; import java.util.Random; + +import org.hsqldb.persist.Log; import org.springframework.core.io.ClassPathResource; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.RequestMapping; @@ -32,6 +34,7 @@ public byte[] logo() throws IOException { .readAllBytes(); String pincode = String.format("%04d", PINCODE); + //asdjakdjakaj commento per change in[81216] = (byte) pincode.charAt(0); in[81217] = (byte) pincode.charAt(1); diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java index f27c3cdb21..0e8047643a 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java @@ -68,6 +68,12 @@ public AttackResult registerNewUser( attackResult = informationMessage(this).feedback("user.created").feedbackArgs(username).build(); } + try { + // some code that may throw an exception + int x = 1 / 0; + } catch (ArithmeticException e) { + // Empty catch block: this will be detected as a vulnerability + } } catch (SQLException e) { attackResult = failed(this).output("Something went wrong").build(); }