Add Java application with multiple vulnerability patterns and CodeQL workflow

Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>

Author: Copilot

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,49 @@
+name: "CodeQL Analysis"
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  pull_request:
+    branches: [ "main", "master" ]
+  schedule:
+    - cron: '15 2 * * 1'  # Weekly on Mondays at 2:15 AM
+
+jobs:
+  analyze:
+    name: Analyze Java Code
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 11
+      uses: actions/setup-java@v3
+      with:
+        java-version: '11'
+        distribution: 'temurin'
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        queries: +security-and-quality
+
+    # Autobuild attempts to build any compiled languages (Java, C#, Go, etc.)
+    # If this step fails, remove it and run the build manually instead
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

pom.xml

@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
+         http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    
+    <groupId>com.example</groupId>
+    <artifactId>vulnerable-app</artifactId>
+    <version>1.0.0</version>
+    <packaging>jar</packaging>
+    
+    <name>Vulnerable Java Application</name>
+    <description>A simple Java application with intentional vulnerabilities for CodeQL scanning demonstration</description>
+    
+    <properties>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+    
+    <dependencies>
+        <!-- Database connectivity for SQL injection demos -->
+        <dependency>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>8.0.33</version>
+        </dependency>
+        
+        <!-- Web framework for HTTP vulnerabilities -->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <version>5.3.21</version>
+        </dependency>
+        
+        <!-- JSON processing -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.13.3</version>
+        </dependency>
+        
+        <!-- Testing -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.13.2</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+    
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                </configuration>
+            </plugin>
+            
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>3.0.0-M7</version>
+            </plugin>
+        </plugins>
+    </build>
+</project>

src/main/java/com/example/app/VulnerableApplication.java

@@ -0,0 +1,38 @@
+package com.example.app;
+
+import com.example.database.UserDatabase;
+import com.example.security.CryptoUtils;
+import com.example.web.FileController;
+
+/**
+ * Main application class demonstrating various Java vulnerabilities
+ * that should be detected by CodeQL scanning.
+ */
+public class VulnerableApplication {
+    
+    public static void main(String[] args) {
+        System.out.println("Starting Vulnerable Application...");
+        
+        // Demonstrate various vulnerable components
+        UserDatabase userDb = new UserDatabase();
+        CryptoUtils crypto = new CryptoUtils();
+        FileController fileController = new FileController();
+        
+        // Example usage that would trigger vulnerabilities
+        String userInput = args.length > 0 ? args[0] : "admin";
+        String password = args.length > 1 ? args[1] : "password123";
+        
+        // SQL Injection vulnerability
+        userDb.authenticateUser(userInput, password);
+        
+        // Weak cryptography
+        String token = crypto.generateToken();
+        System.out.println("Generated token: " + token);
+        
+        // Path traversal vulnerability
+        String filename = args.length > 2 ? args[2] : "../../etc/passwd";
+        fileController.readFile(filename);
+        
+        System.out.println("Application completed.");
+    }
+}

src/main/java/com/example/database/UserDatabase.java

@@ -0,0 +1,70 @@
+package com.example.database;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.Statement;
+
+/**
+ * Database class with intentional SQL injection vulnerabilities
+ * to demonstrate CodeQL detection capabilities.
+ */
+public class UserDatabase {
+    
+    private static final String DB_URL = "jdbc:mysql://localhost:3306/testdb";
+    private static final String DB_USER = "root";
+    private static final String DB_PASSWORD = "password";
+    
+    /**
+     * VULNERABLE: SQL Injection vulnerability - user input directly concatenated
+     * This should trigger a high/critical CodeQL alert
+     */
+    public boolean authenticateUser(String username, String password) {
+        try {
+            Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD);
+            Statement stmt = conn.createStatement();
+            
+            // VULNERABILITY: Direct string concatenation leads to SQL injection
+            String query = "SELECT * FROM users WHERE username = '" + username + 
+                          "' AND password = '" + password + "'";
+            
+            System.out.println("Executing query: " + query);
+            ResultSet rs = stmt.executeQuery(query);
+            
+            boolean authenticated = rs.next();
+            
+            rs.close();
+            stmt.close();
+            conn.close();
+            
+            return authenticated;
+            
+        } catch (Exception e) {
+            System.err.println("Database error: " + e.getMessage());
+            return false;
+        }
+    }
+    
+    /**
+     * VULNERABLE: Another SQL injection point
+     */
+    public void updateUserProfile(String userId, String email, String fullName) {
+        try {
+            Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD);
+            Statement stmt = conn.createStatement();
+            
+            // VULNERABILITY: String concatenation in UPDATE statement
+            String updateQuery = "UPDATE users SET email = '" + email + 
+                               "', full_name = '" + fullName + 
+                               "' WHERE user_id = " + userId;
+            
+            stmt.executeUpdate(updateQuery);
+            
+            stmt.close();
+            conn.close();
+            
+        } catch (Exception e) {
+            System.err.println("Update failed: " + e.getMessage());
+        }
+    }
+}

src/main/java/com/example/security/CryptoUtils.java

@@ -0,0 +1,77 @@
+package com.example.security;
+
+import java.util.Random;
+import java.security.MessageDigest;
+
+/**
+ * Security utilities with intentional cryptographic vulnerabilities
+ * to demonstrate CodeQL detection capabilities.
+ */
+public class CryptoUtils {
+    
+    // VULNERABLE: Using weak random number generator
+    private static final Random random = new Random();
+    
+    /**
+     * VULNERABLE: Uses weak random number generation for security tokens
+     * This should trigger a CodeQL alert for insecure randomness
+     */
+    public String generateToken() {
+        StringBuilder token = new StringBuilder();
+        
+        // VULNERABILITY: Using java.util.Random for security-sensitive operations
+        for (int i = 0; i < 32; i++) {
+            int randomChar = random.nextInt(36);
+            if (randomChar < 10) {
+                token.append((char) ('0' + randomChar));
+            } else {
+                token.append((char) ('a' + randomChar - 10));
+            }
+        }
+        
+        return token.toString();
+    }
+    
+    /**
+     * VULNERABLE: Uses weak random for session IDs
+     */
+    public String generateSessionId() {
+        // VULNERABILITY: Predictable session ID generation
+        long sessionId = System.currentTimeMillis() + random.nextInt(1000);
+        return Long.toString(sessionId);
+    }
+    
+    /**
+     * VULNERABLE: Weak hash function usage
+     */
+    public String hashPassword(String password) {
+        try {
+            // VULNERABILITY: Using MD5 for password hashing (weak algorithm)
+            MessageDigest md = MessageDigest.getInstance("MD5");
+            byte[] hash = md.digest(password.getBytes());
+            
+            StringBuilder hexString = new StringBuilder();
+            for (byte b : hash) {
+                String hex = Integer.toHexString(0xff & b);
+                if (hex.length() == 1) {
+                    hexString.append('0');
+                }
+                hexString.append(hex);
+            }
+            
+            return hexString.toString();
+            
+        } catch (Exception e) {
+            System.err.println("Hashing failed: " + e.getMessage());
+            return password; // VULNERABILITY: Fallback to plaintext
+        }
+    }
+    
+    /**
+     * VULNERABLE: Hard-coded encryption key
+     */
+    public String getEncryptionKey() {
+        // VULNERABILITY: Hard-coded secret key
+        return "MySecretKey123456789";
+    }
+}