From 7cf54f989056e0116a8e497646c49c0fed964997 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 17 Sep 2025 14:11:55 +0200 Subject: [PATCH 01/36] Update codeql_conditional_scan.yml --- .github/workflows/codeql_conditional_scan.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/codeql_conditional_scan.yml b/.github/workflows/codeql_conditional_scan.yml index 4d7d22991d..caae55fced 100644 --- a/.github/workflows/codeql_conditional_scan.yml +++ b/.github/workflows/codeql_conditional_scan.yml @@ -2,10 +2,8 @@ name: "Codeql on Push & PR / Conditional Scan" on: - push: - branches: [ "custom_queries" ] pull_request: - branches: [ "custom_queries" ] + branches: [ "main" ] #2) CONFIGURAZIONE JOBS jobs: From 1ee11302f846c058314a020ad88c2be8d1c2714f Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 17 Sep 2025 14:58:34 +0200 Subject: [PATCH 02/36] Update codeql_conditional_scan.yml --- .github/workflows/codeql_conditional_scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql_conditional_scan.yml b/.github/workflows/codeql_conditional_scan.yml index caae55fced..dd9ea9d742 100644 --- a/.github/workflows/codeql_conditional_scan.yml +++ b/.github/workflows/codeql_conditional_scan.yml @@ -1,9 +1,9 @@ #1) HEADER & TRIGGER -name: "Codeql on Push & PR / Conditional Scan" +name: "Codeql on PR / Conditional Scan" on: pull_request: - branches: [ "main" ] + branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] #2) CONFIGURAZIONE JOBS jobs: From 9d1069b0ce4027a944fc74a7e093f61cf53462e2 Mon Sep 17 00:00:00 2001 From: "da.decarolis" Date: Thu, 18 Sep 2025 12:48:17 +0200 Subject: [PATCH 03/36] =?UTF-8?q?prova=20trigger=20rilevamento=20vulnerabi?= =?UTF-8?q?lit=C3=A0=20codeql?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../webgoat/lessons/challenges/challenge1/ImageServlet.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java index 735d9f1e42..7ad771436b 100644 --- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java +++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java @@ -9,6 +9,8 @@ import java.io.IOException; import java.util.Random; + +import org.hsqldb.persist.Log; import org.springframework.core.io.ClassPathResource; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.RequestMapping; @@ -32,6 +34,7 @@ public byte[] logo() throws IOException { .readAllBytes(); String pincode = String.format("%04d", PINCODE); + //asdjakdjakaj commento per change in[81216] = (byte) pincode.charAt(0); in[81217] = (byte) pincode.charAt(1); From 00932dbbb93c8c61e23fc5f57c6592cfbc07973a Mon Sep 17 00:00:00 2001 From: "da.decarolis" Date: Thu, 18 Sep 2025 12:55:03 +0200 Subject: [PATCH 04/36] updated action to include custom queries for analysis --- .github/workflows/codeql_conditional_scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql_conditional_scan.yml b/.github/workflows/codeql_conditional_scan.yml index dd9ea9d742..b14e57110f 100644 --- a/.github/workflows/codeql_conditional_scan.yml +++ b/.github/workflows/codeql_conditional_scan.yml @@ -51,16 +51,15 @@ jobs: with: languages: java-kotlin build-mode: none - queries: .codeql/custom-queries #8) BUILD MANUALE ELIMINATA #9) ANALISI CODEQL - CONDIZIONALE - name: Perform CodeQL Analysis if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v2 with: - category: "/language:java-kotlin" + queries: ./.codeql/custom-queries #10) SUMMARY - name: Analysis Summary From b1636a20039a1ad80c3f1c552b43f4fe87d9da74 Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Thu, 18 Sep 2025 15:28:45 +0200 Subject: [PATCH 05/36] codeql analyze@v2 deprecated & custom-queries moved --- .github/workflows/codeql_conditional_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql_conditional_scan.yml b/.github/workflows/codeql_conditional_scan.yml index b14e57110f..bbf1a87e5f 100644 --- a/.github/workflows/codeql_conditional_scan.yml +++ b/.github/workflows/codeql_conditional_scan.yml @@ -57,7 +57,7 @@ jobs: #9) ANALISI CODEQL - CONDIZIONALE - name: Perform CodeQL Analysis if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: queries: ./.codeql/custom-queries From ae516c1662a6746d5f3e7b7f1eb9797f96fc9ce7 Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Fri, 19 Sep 2025 09:54:28 +0200 Subject: [PATCH 06/36] delete unnecessary action and gitignore update --- .github/workflows/codeql-advanced-setup.yml | 79 --------------------- .gitignore | 2 +- 2 files changed, 1 insertion(+), 80 deletions(-) delete mode 100644 .github/workflows/codeql-advanced-setup.yml diff --git a/.github/workflows/codeql-advanced-setup.yml b/.github/workflows/codeql-advanced-setup.yml deleted file mode 100644 index 693a94e1c1..0000000000 --- a/.github/workflows/codeql-advanced-setup.yml +++ /dev/null @@ -1,79 +0,0 @@ -#1) HEADER & TRIGGER -name: "Codeql Advanced Setup" - -on: - push: - branches: [ "custom_queries" ] - pull_request: - branches: [ "custom_queries" ] - -#2) CONFIGURAZIONE JOBS -jobs: - analyze: - name: Analyze Java - Conditional - runs-on: ubuntu-latest - -#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY - permissions: - security-events: write # Per scrivere risultati di sicurezza - packages: read # Per scaricare query pack CodeQL - actions: read # Per leggere altri workflow - contents: read # Per leggere il codice del repo - -#4) CHECKOUT - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Necessario per rilevare i file modificati - -#5) RILEVAMENTO FILE MODIFICATI - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v44 - with: - files: | - **/*.java - **/*.xml - **/*.properties - -#6) SETUP JAVA - CONDIZIONALE - - name: Setup Java - if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - cache: 'maven' - -#7) INITIALIZE CODEQL - CONDIZIONALE - - name: Initialize CodeQL - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/init@v3 - with: - languages: java-kotlin - build-mode: none - # queries: .codeql/custom-queries QUERY PERSONALIZZATE RIMOSSE - -#8) BUILD - CONDIZIONALE - RIMOSSO - -#9) ANALISI CODEQL - CONDIZIONALE - - name: Perform CodeQL Analysis - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/analyze@v3 - with: - category: "/language:java-kotlin" - -#10) SUMMARY - - name: Analysis Summary - if: steps.changed-files.outputs.any_changed == 'true' - run: | - echo "WebGoat CodeQL analysis completed" - echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" - echo "Language: java-kotlin" - - - name: No Changes Summary - if: steps.changed-files.outputs.any_changed == 'false' - run: | - echo "No Java/XML/Properties files changed" - echo "⏭CodeQL analysis skipped for performance" diff --git a/.gitignore b/.gitignore index 0520a6844e..93060d1134 100644 --- a/.gitignore +++ b/.gitignore @@ -70,4 +70,4 @@ node_modules/ echo target/ >> .gitignore echo *.log >> .gitignore -echo .DS_Store >> .gitignore \ No newline at end of file +echo .DS_Store >> .gitignore From e88286e544edda97e5b9f2b7fd7549a4c48c3610 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Fri, 19 Sep 2025 11:58:57 +0200 Subject: [PATCH 07/36] Update codeql_conditional_scan.yml --- .github/workflows/codeql_conditional_scan.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql_conditional_scan.yml b/.github/workflows/codeql_conditional_scan.yml index bbf1a87e5f..ec2fb17dd5 100644 --- a/.github/workflows/codeql_conditional_scan.yml +++ b/.github/workflows/codeql_conditional_scan.yml @@ -28,7 +28,7 @@ jobs: #5) RILEVAMENTO FILE MODIFICATI - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v44 + uses: tj-actions/changed-files@v44 # https://github.com/tj-actions/changed-files with: files: | **/*.java @@ -42,7 +42,6 @@ jobs: with: distribution: 'temurin' java-version: '21' - # cache: 'maven' NON SERVE CON BUILD-MODE: NONE #7) INITIALIZE CODEQL - CONDIZIONALE - name: Initialize CodeQL @@ -52,14 +51,21 @@ jobs: languages: java-kotlin build-mode: none -#8) BUILD MANUALE ELIMINATA +#8) BUILD MANUALE - CONDIZIONALE + # - name: Build WebGoat - Full Project + # if: steps.changed-files.outputs.any_changed == 'true' + # run: | + # echo "Building complete WebGoat project..." + # mvn clean compile -DskipTests -q + # echo "Build completed successfully" #9) ANALISI CODEQL - CONDIZIONALE - name: Perform CodeQL Analysis if: steps.changed-files.outputs.any_changed == 'true' uses: github/codeql-action/analyze@v3 with: - queries: ./.codeql/custom-queries + queries: ./.codeql/custom-queries + # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs #10) SUMMARY - name: Analysis Summary From 1ac8dd3d40a512f8758fd93a29d71cc8eab8d00f Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Fri, 19 Sep 2025 16:07:00 +0200 Subject: [PATCH 08/36] @kind metadata added --- .../02-compliance/gdpr-data-processing-detection.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql b/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql index 9ba9242a91..ddf33efc33 100644 --- a/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql +++ b/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql @@ -3,6 +3,7 @@ /** * @name GDPR Data Processing Detection * @description Rileva possibili violazioni GDPR nel processing di dati personali + * @kind problem */ import java From ff92d875d415607e9d95e9a6507416e7817c5524 Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Fri, 19 Sep 2025 16:31:13 +0200 Subject: [PATCH 09/36] delete workflow with errors --- .github/workflows/codeql_conditional_scan.yml | 82 ------------------- 1 file changed, 82 deletions(-) delete mode 100644 .github/workflows/codeql_conditional_scan.yml diff --git a/.github/workflows/codeql_conditional_scan.yml b/.github/workflows/codeql_conditional_scan.yml deleted file mode 100644 index ec2fb17dd5..0000000000 --- a/.github/workflows/codeql_conditional_scan.yml +++ /dev/null @@ -1,82 +0,0 @@ -#1) HEADER & TRIGGER -name: "Codeql on PR / Conditional Scan" - -on: - pull_request: - branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] - -#2) CONFIGURAZIONE JOBS -jobs: - analyze: - name: Analyze Java - Conditional - runs-on: ubuntu-latest - -#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY - permissions: - security-events: write # Per scrivere risultati di sicurezza - packages: read # Per scaricare query pack CodeQL - actions: read # Per leggere altri workflow - contents: read # Per leggere il codice del repo - -#4) CHECKOUT - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Necessario per rilevare i file modificati - -#5) RILEVAMENTO FILE MODIFICATI - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v44 # https://github.com/tj-actions/changed-files - with: - files: | - **/*.java - **/*.xml - **/*.properties - -#6) SETUP JAVA - CONDIZIONALE - - name: Setup Java - if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - -#7) INITIALIZE CODEQL - CONDIZIONALE - - name: Initialize CodeQL - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/init@v3 - with: - languages: java-kotlin - build-mode: none - -#8) BUILD MANUALE - CONDIZIONALE - # - name: Build WebGoat - Full Project - # if: steps.changed-files.outputs.any_changed == 'true' - # run: | - # echo "Building complete WebGoat project..." - # mvn clean compile -DskipTests -q - # echo "Build completed successfully" - -#9) ANALISI CODEQL - CONDIZIONALE - - name: Perform CodeQL Analysis - if: steps.changed-files.outputs.any_changed == 'true' - uses: github/codeql-action/analyze@v3 - with: - queries: ./.codeql/custom-queries - # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs - -#10) SUMMARY - - name: Analysis Summary - if: steps.changed-files.outputs.any_changed == 'true' - run: | - echo "WebGoat CodeQL analysis completed" - echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" - echo "Language: java-kotlin" - - - name: No Changes Summary - if: steps.changed-files.outputs.any_changed == 'false' - run: | - echo "No Java/XML/Properties files changed" - echo "⏭CodeQL analysis skipped for performance" From 40d8537b17d958579b7495a2598ee27793190cbd Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Fri, 19 Sep 2025 16:44:10 +0200 Subject: [PATCH 10/36] GDPR Data Processing Detection Metadata added --- .../02-compliance/gdpr-data-processing-detection.ql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql b/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql index ddf33efc33..3417f1d524 100644 --- a/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql +++ b/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql @@ -1,9 +1,11 @@ -// by claude (Sonnet 4) /** * @name GDPR Data Processing Detection * @description Rileva possibili violazioni GDPR nel processing di dati personali * @kind problem + * @id java/find-sql-queries + * @problem.severity recommendation + * @tags security */ import java From eb0486b2b990eb6756af3776c4bf7272e8de52ef Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Fri, 19 Sep 2025 17:09:12 +0200 Subject: [PATCH 11/36] Create codeql.yml new workflow in git_actions branch --- .github/workflows/codeql.yml | 98 ++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..58c7a8457f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,98 @@ + +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. + +#1) HEADER & TRIGGER +name: "Codeql on PR / Conditional Scan NEW" + +on: + pull_request: + branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] + +#2) CONFIGURAZIONE JOBS +jobs: + analyze: + name: Analyze Java - Conditional + runs-on: ubuntu-latest + +#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY + permissions: + security-events: write # Per scrivere risultati di sicurezza + packages: read # Per scaricare query pack CodeQL + actions: read # Per leggere altri workflow + contents: read # Per leggere il codice del repo + +#4) CHECKOUT + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Necessario per rilevare i file modificati + +#5) RILEVAMENTO FILE MODIFICATI + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v44 # https://github.com/tj-actions/changed-files + with: + files: | + **/*.java + **/*.xml + **/*.properties + +#6) SETUP JAVA - CONDIZIONALE + - name: Setup Java + if: steps.changed-files.outputs.any_changed == 'true' + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '21' + +#7) INITIALIZE CODEQL - CONDIZIONALE + - name: Initialize CodeQL + if: steps.changed-files.outputs.any_changed == 'true' + uses: github/codeql-action/init@v3 + with: + languages: java-kotlin + build-mode: none + queries: ./.codeql/custom-queries + # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs + + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + +#8) BUILD MANUALE - CONDIZIONALE + # - name: Build WebGoat - Full Project + # if: steps.changed-files.outputs.any_changed == 'true' + # run: | + # echo "Building complete WebGoat project..." + # mvn clean compile -DskipTests -q + # echo "Build completed successfully" + +#9) ANALISI CODEQL - CONDIZIONALE + - name: Perform CodeQL Analysis + if: steps.changed-files.outputs.any_changed == 'true' + uses: github/codeql-action/analyze@v3 + +#10) SUMMARY + - name: Analysis Summary + if: steps.changed-files.outputs.any_changed == 'true' + run: | + echo "WebGoat CodeQL analysis completed" + echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" + echo "Language: java-kotlin" + + - name: No Changes Summary + if: steps.changed-files.outputs.any_changed == 'false' + run: | + echo "No Java/XML/Properties files changed" + echo "⏭CodeQL analysis skipped for performance" + From ec447695b98e2d1d74c3e3a25ac5ff1465c22c8e Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Fri, 19 Sep 2025 17:43:22 +0200 Subject: [PATCH 12/36] Update codeql.yml added debug message added upload SARIF --- .github/workflows/codeql.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 58c7a8457f..8c05ea847b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -82,7 +82,20 @@ jobs: if: steps.changed-files.outputs.any_changed == 'true' uses: github/codeql-action/analyze@v3 -#10) SUMMARY +#10) DEBUG + - name: Debug SARIF Path + if: steps.changed-files.outputs.any_changed == 'true' + run: find /home/runner/work/WebGoat/ -name "*.sarif" + +#11) UPLOAD SARIF E CREAZIONE ARTIFACT + - name: Upload SARIF + if: steps.changed-files.outputs.any_changed == 'true' + uses: actions/upload-artifact@v3 + with: + name: sarif-report + path: /home/runner/work/WebGoat/results/java.sarif + +#12) SUMMARY - name: Analysis Summary if: steps.changed-files.outputs.any_changed == 'true' run: | From 5999b7b658aa4daebb5c024903178b317e4ccdae Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Fri, 19 Sep 2025 17:53:01 +0200 Subject: [PATCH 13/36] Update codeql.yml update upload-artifact@v4 --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8c05ea847b..9d1396adf4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -90,7 +90,7 @@ jobs: #11) UPLOAD SARIF E CREAZIONE ARTIFACT - name: Upload SARIF if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: sarif-report path: /home/runner/work/WebGoat/results/java.sarif From 7f7aead6370e12ce5ec1ca1c8b6a77d9c7dd6c96 Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Fri, 19 Sep 2025 18:26:26 +0200 Subject: [PATCH 14/36] java file modified --- src/it/java/org/owasp/webgoat/ServerUrlConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/it/java/org/owasp/webgoat/ServerUrlConfig.java b/src/it/java/org/owasp/webgoat/ServerUrlConfig.java index 30b5b29f8f..e363d69944 100644 --- a/src/it/java/org/owasp/webgoat/ServerUrlConfig.java +++ b/src/it/java/org/owasp/webgoat/ServerUrlConfig.java @@ -7,7 +7,7 @@ public record ServerUrlConfig(String host, String port, String contextPath) { public ServerUrlConfig { - contextPath = contextPath.replaceAll("/", ""); + contextPath = contextPath.replaceAll("/", ""); //error } public String getBaseUrl() { From cc98c57fb8b3c59c3fa81ab596a10f22c6fc211e Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Mon, 22 Sep 2025 11:23:49 +0200 Subject: [PATCH 15/36] Update codeql.yml custom-queries in init & analyze --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9d1396adf4..271e3363b9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -81,6 +81,8 @@ jobs: - name: Perform CodeQL Analysis if: steps.changed-files.outputs.any_changed == 'true' uses: github/codeql-action/analyze@v3 + with: + queries: ./.codeql/custom-queries #10) DEBUG - name: Debug SARIF Path From 0be4b6bfaf8c70b6902b533a694f4c2209563cc8 Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Mon, 22 Sep 2025 11:41:58 +0200 Subject: [PATCH 16/36] custom-queries tags changed --- .../company-doc-template-adherence-a.ql | 6 ------ .../04-architettura-del-codice/god-class-detection.ql | 4 ---- .../08-resource-management/resource-leak-detection.ql | 1 + 3 files changed, 1 insertion(+), 10 deletions(-) diff --git a/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql b/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql index 0195e0b47e..11bab5d91d 100644 --- a/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql +++ b/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql @@ -8,12 +8,6 @@ * @problem.severity warning * @tags documentation * style - * - * Notes: - * - Configure requiredDocFragments with the strings (or regex fragments) that must appear in the Javadoc header according to your company template - * (for example: "Component:", "Owner:", "API:", "@since", "@deprecated", etc). - * - This query heuristically checks Javadoc text exposed by the CodeQL model. If your template is maintained as Markdown files, - * consider adding a separate query that inspects repository Markdown files under docs/ or the template repository. */ import java diff --git a/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql b/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql index 07387eba2b..ccd45472df 100644 --- a/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql +++ b/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql @@ -8,10 +8,6 @@ * @problem.severity warning * @tags architecture * design - * - * Notes: - * - Thresholds are conservative defaults; tune per project: - * methodsThreshold = 50, fieldsThreshold = 30, totalLocThreshold = 2000 */ import java diff --git a/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql b/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql index e6e20c9956..4a366803b7 100644 --- a/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql +++ b/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql @@ -6,6 +6,7 @@ * @kind problem * @id java/resource-leak-detection * @problem.severity warning + * @tags security */ import java From e1fc0fbfc84f09377cbda3c78c8cc4e0fcbf5537 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Mon, 22 Sep 2025 11:52:44 +0200 Subject: [PATCH 17/36] Update codeql.yml custom-queries path only in init --- .github/workflows/codeql.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 271e3363b9..9d1396adf4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -81,8 +81,6 @@ jobs: - name: Perform CodeQL Analysis if: steps.changed-files.outputs.any_changed == 'true' uses: github/codeql-action/analyze@v3 - with: - queries: ./.codeql/custom-queries #10) DEBUG - name: Debug SARIF Path From 0b964bfe46fbe1c01f6cbfec4035b62c1827e36f Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Mon, 22 Sep 2025 12:18:13 +0200 Subject: [PATCH 18/36] Update codeql.yml upload csv instead of sarif --- .github/workflows/codeql.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9d1396adf4..365ebc6c55 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -83,17 +83,17 @@ jobs: uses: github/codeql-action/analyze@v3 #10) DEBUG - - name: Debug SARIF Path + - name: Debug CSV Path if: steps.changed-files.outputs.any_changed == 'true' - run: find /home/runner/work/WebGoat/ -name "*.sarif" + run: find /home/runner/work/WebGoat/ -name "*.csv" #11) UPLOAD SARIF E CREAZIONE ARTIFACT - - name: Upload SARIF + - name: Upload CSV if: steps.changed-files.outputs.any_changed == 'true' uses: actions/upload-artifact@v4 with: name: sarif-report - path: /home/runner/work/WebGoat/results/java.sarif + path: /home/runner/work/WebGoat/results/java.csv #12) SUMMARY - name: Analysis Summary From c3fc2cf08e87bbd39aca420c2dfe5911e13848d1 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Mon, 22 Sep 2025 12:26:43 +0200 Subject: [PATCH 19/36] Update codeql.yml debug sarif upload csv --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 365ebc6c55..af6270625e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -83,9 +83,9 @@ jobs: uses: github/codeql-action/analyze@v3 #10) DEBUG - - name: Debug CSV Path + - name: Debug SARIF Path if: steps.changed-files.outputs.any_changed == 'true' - run: find /home/runner/work/WebGoat/ -name "*.csv" + run: find /home/runner/work/WebGoat/ -name "*.sarif" #11) UPLOAD SARIF E CREAZIONE ARTIFACT - name: Upload CSV From da38d2d1f9bcbcf8cd3e0b6b3f3de6769628f6c9 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Mon, 22 Sep 2025 12:27:27 +0200 Subject: [PATCH 20/36] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index af6270625e..5808255e3f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -92,7 +92,7 @@ jobs: if: steps.changed-files.outputs.any_changed == 'true' uses: actions/upload-artifact@v4 with: - name: sarif-report + name: csv-report path: /home/runner/work/WebGoat/results/java.csv #12) SUMMARY From 49d82be56eec64ba12e33c7f1dc9d6d4c86cae43 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Mon, 22 Sep 2025 12:46:16 +0200 Subject: [PATCH 21/36] Update codeql.yml sarif in debug & upload --- .github/workflows/codeql.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5808255e3f..9d1396adf4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -88,12 +88,12 @@ jobs: run: find /home/runner/work/WebGoat/ -name "*.sarif" #11) UPLOAD SARIF E CREAZIONE ARTIFACT - - name: Upload CSV + - name: Upload SARIF if: steps.changed-files.outputs.any_changed == 'true' uses: actions/upload-artifact@v4 with: - name: csv-report - path: /home/runner/work/WebGoat/results/java.csv + name: sarif-report + path: /home/runner/work/WebGoat/results/java.sarif #12) SUMMARY - name: Analysis Summary From e5acba1cb368bacc9cb0d2f1222e7228bed42d5d Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Mon, 22 Sep 2025 15:58:54 +0200 Subject: [PATCH 22/36] codeql config file for custom-queries --- .github/codeql/codeql-config.yml | 6 ++++++ .github/workflows/codeql.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..2d76d1eb3a --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,6 @@ +name: "Custom CodeQL Configuration" + +queries: + - uses: ./.codeql/custom-queries + +disable-default-queries: true \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9d1396adf4..aaff069fd0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,7 +59,7 @@ jobs: with: languages: java-kotlin build-mode: none - queries: ./.codeql/custom-queries + config-file: ./.github/codeql/codeql-config.yml # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs # If you wish to specify custom queries, you can do so here or in a config file. From 942a1a5854ab81b4d79f8cf0b847b12a38d9d82a Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Tue, 23 Sep 2025 11:51:03 +0200 Subject: [PATCH 23/36] add links to codeql-config --- .github/codeql/codeql-config.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 2d76d1eb3a..2532251d0b 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -3,4 +3,16 @@ name: "Custom CodeQL Configuration" queries: - uses: ./.codeql/custom-queries -disable-default-queries: true \ No newline at end of file +disable-default-queries: true + +# È necessario aggiungere almeno un'istruzione query, queries, o qlpack alla definizione della suite, altrimenti non verrà selezionata alcuna query. +# https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites + +# - query: path/to/query.ql +# - queries: path/to/queries/ +# - exclude: path/to/excluded-query.ql +# - include: another-suite.qls +# - tags: security + +# Attraverso i tags nei metadati delle query CodeQL puoi selezionare (includere o escludere) facilmente gruppi di query in una query suite. +# https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/ \ No newline at end of file From 0bb081bafe3098e5f45940a295d6eefdd6313c26 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 24 Sep 2025 09:48:51 +0200 Subject: [PATCH 24/36] Create codeql-no-diff.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Deleted: - name: Get changed files id: changed-files uses: tj-actions/changed-files@v44 (.java - .xml - .properties) if: steps.changed-files.outputs.any_changed == 'true') - name: No Changes Summary if: steps.changed-files.outputs.any_changed == 'false' run: | echo "No Java/XML/Properties files changed" echo "⏭CodeQL analysis skipped for performance" --- .github/workflows/codeql-no-diff.yml | 63 ++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/codeql-no-diff.yml diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml new file mode 100644 index 0000000000..c52acc414e --- /dev/null +++ b/.github/workflows/codeql-no-diff.yml @@ -0,0 +1,63 @@ +#1) HEADER & TRIGGER +name: "Codeql on PR / Total Scan" + +on: + pull_request: + branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] + +#2) CONFIGURAZIONE JOBS +jobs: + analyze: + name: Analyze Java - Total no Diff + runs-on: ubuntu-latest + +#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY + permissions: + security-events: write # Per scrivere risultati di sicurezza + packages: read # Per scaricare query pack CodeQL + actions: read # Per leggere altri workflow + contents: read # Per leggere il codice del repo + +#4) CHECKOUT + steps: + - name: Checkout repository + uses: actions/checkout@v4 + +#5) SETUP JAVA + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '21' + +#6) INITIALIZE CODEQL + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: java-kotlin + build-mode: none + config-file: ./.github/codeql/codeql-config.yml + +#7) ANALISI CODEQL + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + +#8) DEBUG + - name: Debug SARIF Path + run: find /home/runner/work/WebGoat/ -name "*.sarif" + +#9) UPLOAD SARIF E CREAZIONE ARTIFACT + - name: Upload SARIF + uses: actions/upload-artifact@v4 + with: + name: sarif-report + path: /home/runner/work/WebGoat/results/java.sarif + +#10) SUMMARY + - name: Analysis Summary + run: | + echo "WebGoat CodeQL analysis completed" + echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}" + echo "Language: java-kotlin" + + From c189911489acd96489ab871f99c386be56ee0105 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 24 Sep 2025 10:28:53 +0200 Subject: [PATCH 25/36] Update codeql-no-diff.yml Trigger on PR, branches "main" and "git_actions" --- .github/workflows/codeql-no-diff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml index c52acc414e..bddf9d2f84 100644 --- a/.github/workflows/codeql-no-diff.yml +++ b/.github/workflows/codeql-no-diff.yml @@ -3,7 +3,7 @@ name: "Codeql on PR / Total Scan" on: pull_request: - branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] + branches: [ "main", "git_actions" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] #2) CONFIGURAZIONE JOBS jobs: From 38dcc088f12be5e364a26f3bd06cb26873438557 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 24 Sep 2025 11:34:47 +0200 Subject: [PATCH 26/36] Update codeql-no-diff.yml build-mode: autobuild --- .github/workflows/codeql-no-diff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml index bddf9d2f84..58b29387f3 100644 --- a/.github/workflows/codeql-no-diff.yml +++ b/.github/workflows/codeql-no-diff.yml @@ -35,7 +35,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: java-kotlin - build-mode: none + build-mode: autobuild config-file: ./.github/codeql/codeql-config.yml #7) ANALISI CODEQL From 0d6c3eb3d894d79dd166c6e2cb369663b04fbc8c Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 24 Sep 2025 11:41:27 +0200 Subject: [PATCH 27/36] Update codeql-no-diff.yml build-mode: manual --- .github/workflows/codeql-no-diff.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml index 58b29387f3..d45597134b 100644 --- a/.github/workflows/codeql-no-diff.yml +++ b/.github/workflows/codeql-no-diff.yml @@ -35,8 +35,15 @@ jobs: uses: github/codeql-action/init@v3 with: languages: java-kotlin - build-mode: autobuild + build-mode: manual config-file: ./.github/codeql/codeql-config.yml + +#7) BUILD - TOTALE + - name: Build WebGoat - Full Project + run: | + echo "Building complete WebGoat project..." + mvn clean compile -DskipTests -q + echo "Build completed successfully" #7) ANALISI CODEQL - name: Perform CodeQL Analysis From c859d7394c2bc206ecfa3ef0c15b6f7448996c91 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 24 Sep 2025 11:56:18 +0200 Subject: [PATCH 28/36] Update codeql-no-diff.yml pull_request: branches: [ "*" ] --- .github/workflows/codeql-no-diff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml index d45597134b..3202b8bc75 100644 --- a/.github/workflows/codeql-no-diff.yml +++ b/.github/workflows/codeql-no-diff.yml @@ -3,7 +3,7 @@ name: "Codeql on PR / Total Scan" on: pull_request: - branches: [ "main", "git_actions" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] + branches: [ "*" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] #2) CONFIGURAZIONE JOBS jobs: From 0414b34f88955ab3d0b589648455c1c9281b4153 Mon Sep 17 00:00:00 2001 From: "da.decarolis" Date: Wed, 24 Sep 2025 13:13:00 +0200 Subject: [PATCH 29/36] introduced 2 empty catch block exceptions --- .../org/dummy/insecure/framework/VulnerableTaskHolder.java | 7 +++++++ .../sqlinjection/advanced/SqlInjectionChallenge.java | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java index b5cad9cc56..7646633193 100644 --- a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java +++ b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java @@ -59,6 +59,13 @@ private void readObject(ObjectInputStream stream) throws Exception { throw new IllegalArgumentException("outdated"); } + try { + // some code that may throw an exception + int x = 1 / 0; + } catch (ArithmeticException e) { + // Empty catch block: this will be detected as a vulnerability + } + // condition is here to prevent you from destroying the goat altogether if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping")) && taskAction.length() < 22) { diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java index f27c3cdb21..0e8047643a 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java @@ -68,6 +68,12 @@ public AttackResult registerNewUser( attackResult = informationMessage(this).feedback("user.created").feedbackArgs(username).build(); } + try { + // some code that may throw an exception + int x = 1 / 0; + } catch (ArithmeticException e) { + // Empty catch block: this will be detected as a vulnerability + } } catch (SQLException e) { attackResult = failed(this).output("Something went wrong").build(); } From 79dafa82dbc422f72664ffc5d904cfb2c1efdd70 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Wed, 24 Sep 2025 15:31:56 +0200 Subject: [PATCH 30/36] Update codeql-no-diff.yml Security Tab Results --- .github/workflows/codeql-no-diff.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml index 3202b8bc75..ae36fa87cb 100644 --- a/.github/workflows/codeql-no-diff.yml +++ b/.github/workflows/codeql-no-diff.yml @@ -2,8 +2,10 @@ name: "Codeql on PR / Total Scan" on: + push: + branches: [ "main", "git_actions" ] pull_request: - branches: [ "*" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] + branches: [ "main", "git_actions" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] #2) CONFIGURAZIONE JOBS jobs: @@ -35,15 +37,8 @@ jobs: uses: github/codeql-action/init@v3 with: languages: java-kotlin - build-mode: manual + build-mode: none config-file: ./.github/codeql/codeql-config.yml - -#7) BUILD - TOTALE - - name: Build WebGoat - Full Project - run: | - echo "Building complete WebGoat project..." - mvn clean compile -DskipTests -q - echo "Build completed successfully" #7) ANALISI CODEQL - name: Perform CodeQL Analysis From 608efcca721ca2dc36b2275f7d37674aa9d3abfb Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Thu, 25 Sep 2025 11:24:20 +0200 Subject: [PATCH 31/36] Add new vulnerability for test & fix custom-queries --- .../dummy/insecure/framework/ExampleVulnerableClass.java | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 src/main/java/org/dummy/insecure/framework/ExampleVulnerableClass.java diff --git a/src/main/java/org/dummy/insecure/framework/ExampleVulnerableClass.java b/src/main/java/org/dummy/insecure/framework/ExampleVulnerableClass.java new file mode 100644 index 0000000000..b2cb18a613 --- /dev/null +++ b/src/main/java/org/dummy/insecure/framework/ExampleVulnerableClass.java @@ -0,0 +1,6 @@ +package org.dummy.insecure.framework; + +public class ExampleVulnerableClass { + // Vulnerable code example + private String password = "SuperSecret123!"; +} \ No newline at end of file From 93bd9b862719bf2065aed3647d11c34d4306381b Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Thu, 25 Sep 2025 12:29:29 +0200 Subject: [PATCH 32/36] New queries for Autofix Test --- .../insecure-trustmanager.ql | 30 +++++++++++++++++++ .../codeql-pack.lock.yml | 4 +++ codeql-custom-queries-java/codeql-pack.yml | 8 +++++ 3 files changed, 42 insertions(+) create mode 100644 .codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql create mode 100644 codeql-custom-queries-java/codeql-pack.lock.yml create mode 100644 codeql-custom-queries-java/codeql-pack.yml diff --git a/.codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql b/.codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql new file mode 100644 index 0000000000..52252f6ad8 --- /dev/null +++ b/.codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql @@ -0,0 +1,30 @@ +/** + * @name Insecure TrustManager that accepts all certificates + * @description Detects custom TrustManager implementations that accept all certificates without validation. + * @kind problem + * @id java/insecure-trustmanager + * @problem.severity error + * @tags security + * certificates + */ + +import java +import java.Class +import java.Method +import java.Expr +import java.DataFlow::PathGraph + +class InsecureTrustManager extends Class { + InsecureTrustManager() { + this.getASupertype*().hasQualifiedName("javax.net.ssl", "X509TrustManager") + } +} + +from InsecureTrustManager tm, Method m +where + m.getDeclaringType() = tm and + m.getName() = "checkServerTrusted" and + m.getNumberOfParameters() = 2 and + m.getBody() instanceof Block and + m.getBody().getNumStmt() = 0 // Empty method body (accepts all certs) +select m, "This TrustManager accepts all certificates without validation. This is insecure." \ No newline at end of file diff --git a/codeql-custom-queries-java/codeql-pack.lock.yml b/codeql-custom-queries-java/codeql-pack.lock.yml new file mode 100644 index 0000000000..5300427457 --- /dev/null +++ b/codeql-custom-queries-java/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/codeql-custom-queries-java/codeql-pack.yml b/codeql-custom-queries-java/codeql-pack.yml new file mode 100644 index 0000000000..6ea72304bf --- /dev/null +++ b/codeql-custom-queries-java/codeql-pack.yml @@ -0,0 +1,8 @@ +--- +library: false +warnOnImplicitThis: false +compileForOverlayEval: false +name: getting-started/codeql-extra-queries-java +version: 1.0.0 +dependencies: + codeql/java-all: ^7.7.0 From da0626791e2ab0c464e1bca1faa634c91a61092e Mon Sep 17 00:00:00 2001 From: "da.decarolis" Date: Thu, 25 Sep 2025 12:49:19 +0200 Subject: [PATCH 33/36] Autofix for empty catch block --- .../empt-catch-block-detection.ql | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql b/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql index 828829d67c..9d555a2d3b 100644 --- a/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql +++ b/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql @@ -8,20 +8,18 @@ * @problem.severity warning * @tags maintainability * error-handling + * @autofix */ import java +import semmle.code.java.Autofix + from CatchClause cc where - // Il blocco catch è vuoto (non contiene statement) cc.getBlock().getNumStmt() = 0 and - - // Oppure contiene solo commenti (blocco con solo whitespace/commenti) not exists(Stmt s | s.getParent() = cc.getBlock()) and - - // Esclude catch di InterruptedException (spesso legittimo lasciarli vuoti) not cc.getVariable().getType().(RefType).hasQualifiedName("java.lang", "InterruptedException") - -select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti" +select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti", + Autofix::insertAfter(cc.getBlock(), "System.err.println(\"Exception caught: \" + " + cc.getVariable().getName() + ");") From 7f56a19f575c9c5ff50b1cb66fa2fd8a662b4ec8 Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Thu, 25 Sep 2025 12:54:44 +0200 Subject: [PATCH 34/36] delete new query --- .../insecure-trustmanager.ql | 30 ------------------- 1 file changed, 30 deletions(-) delete mode 100644 .codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql diff --git a/.codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql b/.codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql deleted file mode 100644 index 52252f6ad8..0000000000 --- a/.codeql/custom-queries/10-autofixtest-queries/insecure-trustmanager.ql +++ /dev/null @@ -1,30 +0,0 @@ -/** - * @name Insecure TrustManager that accepts all certificates - * @description Detects custom TrustManager implementations that accept all certificates without validation. - * @kind problem - * @id java/insecure-trustmanager - * @problem.severity error - * @tags security - * certificates - */ - -import java -import java.Class -import java.Method -import java.Expr -import java.DataFlow::PathGraph - -class InsecureTrustManager extends Class { - InsecureTrustManager() { - this.getASupertype*().hasQualifiedName("javax.net.ssl", "X509TrustManager") - } -} - -from InsecureTrustManager tm, Method m -where - m.getDeclaringType() = tm and - m.getName() = "checkServerTrusted" and - m.getNumberOfParameters() = 2 and - m.getBody() instanceof Block and - m.getBody().getNumStmt() = 0 // Empty method body (accepts all certs) -select m, "This TrustManager accepts all certificates without validation. This is insecure." \ No newline at end of file From a293786eb4c357af6ab5410d3686d697eb73e7e4 Mon Sep 17 00:00:00 2001 From: "d.orru" Date: Fri, 26 Sep 2025 11:56:36 +0200 Subject: [PATCH 35/36] Restored empt-catch-block query --- .../empt-catch-block-detection.ql | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql b/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql index 9d555a2d3b..f30085ffe7 100644 --- a/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql +++ b/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql @@ -8,18 +8,13 @@ * @problem.severity warning * @tags maintainability * error-handling - * @autofix */ import java -import semmle.code.java.Autofix - from CatchClause cc where cc.getBlock().getNumStmt() = 0 and not exists(Stmt s | s.getParent() = cc.getBlock()) and not cc.getVariable().getType().(RefType).hasQualifiedName("java.lang", "InterruptedException") -select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti", - Autofix::insertAfter(cc.getBlock(), "System.err.println(\"Exception caught: \" + " + cc.getVariable().getName() + ");") - +select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti" \ No newline at end of file From 90f9e6eb8b7af945e2ac77deb36848b1b247d413 Mon Sep 17 00:00:00 2001 From: MissionOpen Date: Fri, 26 Sep 2025 12:30:17 +0200 Subject: [PATCH 36/36] Update codeql-no-diff.yml Restored only pr trigger --- .github/workflows/codeql-no-diff.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml index ae36fa87cb..e6596bdbd3 100644 --- a/.github/workflows/codeql-no-diff.yml +++ b/.github/workflows/codeql-no-diff.yml @@ -2,10 +2,8 @@ name: "Codeql on PR / Total Scan" on: - push: - branches: [ "main", "git_actions" ] pull_request: - branches: [ "main", "git_actions" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ] + branches: [ "main", ] #2) CONFIGURAZIONE JOBS jobs: