diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..ec59aae --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,47 @@ +on: [pull_request] +permissions: + actions: write + checks: write + contents: write + pull-requests: write + statuses: write + +jobs: + test_codeql: + runs-on: ubuntu-latest + steps: + - name: Setup Java on this machine + uses: actions/setup-java@v3 + with: + distribution: "oracle" + java-version: "19" + - name: Setup Maven on this machine + uses: stCarolas/setup-maven@v4.5 + with: + maven-version: 3.8.6 + + - name: Checkout repo to get code + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: java + + - name: Run CodeQL autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Run CodeQL SAST scan + uses: github/codeql-action/analyze@v2 + with: + output: ../results + + - name: Run Mobb on the findings and get fixes + if: always() + uses: mobb-dev/action@beta0.0.4 + with: + report-file: ../results/java.sarif + api-key: ${{ secrets.MOBB_API_TOKEN }} + github-token: ${{ secrets.GITHUB_TOKEN }} + scanner: codeql + mobb-project-name: Action diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 5a3246f..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,28 +0,0 @@ -on: [pull_request] -permissions: - contents: read - checks: write - actions: write - statuses: write - - -jobs: - test_job: - runs-on: ubuntu-latest - steps: - - name: Checkout repo to get code - uses: actions/checkout@v3 - - name: Run Snyk SAST scan - run: - npx snyk auth ${{ secrets.SNYK_API_KEY }} - - npx snyk code test --sarif-file-output=/home/runner/report.json ./ - - shell: bash -l {0} - - name: Mobb action step - if: failure() - uses: mobb-dev/action@v1 - with: - report-file: "/home/runner/report.json" - api-key: ${{ secrets.MOBB_API_TOKEN }} - github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000..bc805e6 --- /dev/null +++ b/pom.xml @@ -0,0 +1,38 @@ + + + 4.0.0 + testgroup + testartifact + 1.0-SNAPSHOT + jar + testproj + + + true + UTF-8 + + + + + javax.servlet + javax.servlet-api + 3.0.1 + provided + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 2.5.1 + + 17 + 17 + + + + + diff --git a/src/main/java/SQLInjectionExample.java b/src/main/java/SQLInjectionExample.java index 16fca15..4d50620 100644 --- a/src/main/java/SQLInjectionExample.java +++ b/src/main/java/SQLInjectionExample.java @@ -1,14 +1,22 @@ -import java.sql.*; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.Statement; -public class SQLInjectionExample { - public static void main(String[] args) throws SQLException { - String userInputA = args[1]; +public class SQLInjectionExample extends HttpServlet { + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException { + try { + Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/db"); - Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/db"); - + String query = "SELECT * FROM users WHERE username = '" + request.getParameter("username") + "';"; + Statement stmt = con.createStatement(); - String query = "SELECT * FROM users WHERE username = '" + userInputA + "';"; - Statement stmt = con.createStatement(); - ResultSet rs = stmt.executeQuery(query); + stmt.executeQuery(query); + } catch (Exception e) { + throw new ServletException(e); + } } }