{"id":19652715,"url":"https://github.com/advanced-security/demo-java","last_synced_at":"2025-04-12T18:44:28.471Z","repository":{"id":40571219,"uuid":"365991637","full_name":"advanced-security/demo-java","owner":"advanced-security","description":"GitHub Advanced Security scanning tutorial repository for Java","archived":false,"fork":false,"pushed_at":"2024-10-15T16:06:59.000Z","size":4071,"stargazers_count":9,"open_issues_count":2,"forks_count":267,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-04T00:07:16.058Z","etag":null,"topics":["advanced-security","demo","devsecops","example","security","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/advanced-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-10T09:42:24.000Z","updated_at":"2025-03-27T01:16:49.000Z","dependencies_parsed_at":"2024-11-11T15:12:01.551Z","dependency_job_id":"3d0877a4-495e-4c7e-b145-90a3c8af0232","html_url":"https://github.com/advanced-security/demo-java","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fdemo-java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fdemo-java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fdemo-java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fdemo-java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/advanced-security","download_url":"https://codeload.github.com/advanced-security/demo-java/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248617199,"owners_count":21134190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["advanced-security","demo","devsecops","example","security","static-analysis"],"created_at":"2024-11-11T15:11:51.593Z","updated_at":"2025-04-12T18:44:28.448Z","avatar_url":"https://github.com/advanced-security.png","language":"Java","readme":"# Code Scanning Java Tutorial\n\nWelcome to the Code Scanning Java Tutorial! This tutorial will take you through how to set up Github Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains SQL injection vulnerability for demonstration purpose.\n\n## Introduction\n\nCode scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.\n\nYou can use code scanning with CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.\n\nThis tutorial with use CodeQL Analysis with Code Scanning in order to search for vulnerabilities within your code. \n\n## Instructions\n\n\u003cdetails\u003e\n\u003csummary\u003eCreate repository fork\u003c/summary\u003e\n\u003cp\u003e \n  \nBegin by [creating a new repository from a fork (public)](https://docs.github.com/en/get-started/quickstart/fork-a-repo) or [cloning the repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository).\n\n\u003cimg src=\"images/00-repo-fork.png\" width=\"70%\"/\u003e\n\nWhere creating the forked repository, make sure to \n\n1. Select the correct org / user account\n2. Create a name for your new repository\n3. Disable main branch only cloning\n4. Create the repository from the template\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eEnable Code Scanning\u003c/summary\u003e\n\u003cp\u003e \n\n#### Security tab\n\nClick on the `Security` tab.\n\n\n\u003cimg src=\"images/00-repo-security-tab.png\" width=\"70%\"/\u003e\n\n#### Set up code scanning\n\nClick `Set up code scanning`.\n\n\u003cimg src=\"images/01-repo-secruity-setup-code-scanning.png\" width=\"70%\"/\u003e\n\n#### Setup Workflow\n\nClick the `Setup this workflow` button by CodeQL Analysis.\n\n\u003cimg src=\"images/02-repo-security-setup-codeql-workflow.png\" width=\"70%\"/\u003e\n\nThis will create a GitHub Actions Workflow file with CodeQL already set up. Since Java is a compiled language you will need to setup the build in later steps. See the [documentation](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system) if you would like to configure CodeQL Analysis with a 3rd party CI system instead of using GitHub Actions.\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \n\u003csummary\u003eActions Workflow file\u003c/summary\u003e\n\u003cp\u003e\n\n#### Actions Workflow\n\nThe Actions Workflow file contains a number of different sections including:\n1. Checking out the repository\n2. Initializing the CodeQL Action\n3. Running Autobuilder (or code your own build steps if autobuild doesn't work)\n4. Running the CodeQL Analysis\n\n\u003cimg src=\"images/03-actions-sample-workflow.png\" width=\"80%\"/\u003e\n\nClick `Start Commit` -\u003e `Commit this file` to commit the changes to _main_ branch.\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \n\u003csummary\u003eWorkflow triggers\u003c/summary\u003e\n\u003cp\u003e\n\n#### Workflow triggers\n\nThere are a [number of events](https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows) that can trigger a GitHub Actions workflow. In this example, the workflow will be triggered on\n\n\u003cimg src=\"images/04-actions-sample-events.png\" width=\"50%\"/\u003e\n\n- push to _main_ branch\n- pull request to merge to _main_ branch\n- on schedule, at 6:33 every Thursday\n\nSetting up the new CodeQL workflow and committing it to _main_ branch in the step above will trigger the scan.\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003eGitHub Actions Progress\u003c/summary\u003e\n\n\u003cp\u003e\n \n#### GitHub Actions Progress\n\nClick `Actions` tab -\u003e `CodeQL`\n\nClick the specific workflow run. You can view the progress of the Workflow run until the analysis completes.\n\n\u003cimg src=\"images/05-actions-completed.png\" width=\"80%\"/\u003e\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eSecurity Issues\u003c/summary\u003e\n\u003cp\u003e\n  \nOnce the Workflow has completed, click the `Security` tab -\u003e ` Code Scanning Alerts`. An security alert \"Query built from user-controlled sources\" should be visible.\n\n#### Security Alert View\n\nClicking on the security alert will provide details about the security alert including: \u003cbr/\u003e\n\u003cul\u003e\n\u003cli\u003eA description of the issue \u003c/li\u003e\n\u003cli\u003eA tag to the CWE that it is connected to as well as the type of alert (Error, Warning, Note)\u003c/li\u003e\n\u003cli\u003eThe line of code that triggered the security alert\u003c/li\u003e\n\u003cli\u003eThe ability to dismiss the alert depending on certain conditions (`False positive`? `Won't fix`? `Used in tests`?)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cimg src=\"images/06-security-codeql-alert.png\" width=\"80%\"/\u003e\n\n#### Security Alert Description\n\nClick `Show more` to view a full desciption of the alert including examples and links to additional information.\n\n\u003cimg src=\"images/07-security-codeql-show-more.png\" width=\"80%\"/\u003e\n\n#### Security Full Description\n\n\u003cimg width=\"80%\" src=\"images/08-security-codeql-full-desc.png\"\u003e\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eShow Paths\u003c/summary\u003e\n\u003cp\u003e\n\n#### Show Paths Button\n\nCodeQL Analysis is able to trace the dataflow path from source to sink and gives you the ability to view the path traversal within the alert.\n\nClick `show paths` in order to see the dataflow path that resulted in this alert.\n\n\u003cimg src=\"images/09-security-codeql-show-paths.png\" width=\"80%\"/\u003e\n\n#### Show Paths View\n\n\u003cimg src=\"images/10-security-codeql-show-paths-details.png\" width=\"80%\"/\u003e\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003cp\u003e  \n  \n\u003csummary\u003eFix the Security Alert\u003c/summary\u003e\n\nIn order to fix this specific alert, we will need to ensure parameters used in the SQL query is validated and sanitized.\n\nClick on the `Code` tab and [Edit](https://docs.github.com/en/free-pro-team@latest/github/managing-files-in-a-repository/editing-files-in-your-repository) the file [`IndexController.java`](./src/main/java/com/github/hackathon/advancedsecurityjava/Controllers/IndexController.java) in the `Controllers` folder, replace the content with the file [`fixme`](./fixme).\n\n\u003cimg src=\"images/11-fix-source-code.png\" width=\"30%\"/\u003e\n\nClick `Create a new branch for this commit and start a pull request`, name the branch `fix-sql-injection`, and create the Pull Request.\n\n#### Pull Request Status Check\n\nIn the Pull Request, you will notice that the CodeQL Analysis has started as a status check. Wait until it completes.\n\n\u003cimg src=\"images/12-fix-pr-in-progress.png\" width=\"80%\"/\u003e\n\n#### Security Alert Details\n\nAfter the Workflow has completed click on `Details` by the `Code Scanning Results / CodeQL` status check. \n\n\u003cimg src=\"images/13-fix-pr-done.png\" width=\"80%\"/\u003e\n\n#### Fixed Alert\n\nNotice that Code Scanning has detected that this Pull Request will fix the SQL injection vulnerability that was detected before.\n\n\u003cimg src=\"images/14-fix-detail.png\" width=\"80%\"/\u003e\n\nMerge the Pull Request. After the Pull Request has been merged, another Workflow will kick off to scan the repository for any vulnerabilties. \n\n#### Closed Security Alerts\n\nAfter the final Workflow has completed, navigate back to the `Security` tab and click `Closed`. Notice that the **Query built from user-controlled sources** security alert now shows up as a closed issue.\n\n\u003cimg src=\"images/15-fixed-alert.png\" width=\"80%\"/\u003e\n\n#### Traceability\n\nClick on the security alert and notice that it details when the fix was made, by whom, and the specific commit. This provides full traceability to detail when and how a security alert was fixed and exactly what was changed to remediate the issue.\n\n\u003cimg src=\"images/16-fix-history.png\" width=\"80%\"/\u003e\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003ePrevent new Alerts in a Pull Request\u003c/summary\u003e\n\u003cp\u003e\n\n#### Create Pull Request from new feature Branch\n\nNow that we have setup CodeQL Analysis and have fix a security alert, we can try to introduce an alert into a Pull Request.\n\nCreate a new Pull Request with the base branch as your `main` branch and the compare branch as the `new-feature` branch.\n\n\u003cimg src=\"images/17-create-pull-request.png\" width=\"70%\"/\u003e\n\nMake sure that the base branch is set to your own repositories `main` branch versus the original repository's `main` branch.\n\n\n#### Pull Request Status Check\n\nOnce the Pull Request has been created, you will notice that the CodeQL Analysis has started as a status check. Wait until it completes.\n\nAfter the Workflow has completed, the `Code Scanning Results / CodeQL` status check will have failed.\nNotice that Code Scanning has detected that this Pull Request introduces a new security alert.\n\n\u003cimg src=\"images/18-pr-check-failed.png\" width=\"80%\"/\u003e\n\n\n#### Alert Centric Notifications\n\nDirectly in the Pull Request, you will notice that GitHub Code Scanning bot has left a review of the Pull Request with the security alert details.\nThis will help developers to quickly identify security issues introduced in their Pull Requests.\n\n\u003cimg src=\"images/19-pr-review.png\" width=\"80%\"/\u003e\n\n\nThis also allows for collaboration between developers and security teams to discuss the security alert and how to remediate it.\n\n\u003cimg src=\"images/20-pr-review-collaboration.png\" width=\"80%\"/\u003e\n\n#### Security Alert Details\n\nClick on `Show more details` by the new `Code Scanning Alert` to jump to the `Security` tab and view the security alert details.\n\n\u003cimg src=\"images/21-pr-show-more-details.png\" width=\"80%\"/\u003e\n\nNotice that the security alert was found `In pull request` and not in the `main` branch (production).\n\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n\n## Next Steps\n\nReady to talk about advanced security features for GitHub Enterprise? [Contact Sales](https://enterprise.github.com/contact) for more information!\n\nCheck out [GitHub's Security feature page](https://github.com/features/security) for more security features embedded into GitHub.\n\nCheck out the Code Scanning [documentation](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) for additional configuration options and technical details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fdemo-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadvanced-security%2Fdemo-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fdemo-java/lists"}