A demonstration Java application with intentional security vulnerabilities for CodeQL scanning.
This repository contains a simple Java application built with Maven that includes several common security vulnerabilities designed to be detected by GitHub's CodeQL static analysis tool.
- Main Application:
com.example.app.VulnerableApplication- Entry point that demonstrates various vulnerabilities - Database Layer:
com.example.database.UserDatabase- Contains SQL injection vulnerabilities - Security Utils:
com.example.security.CryptoUtils- Contains weak cryptographic implementations - Web/File Handling:
com.example.web.FileController- Contains path traversal and command injection vulnerabilities - LDAP Authentication:
com.example.ldap.LdapAuth- Contains LDAP injection vulnerabilities
This application contains the following types of security vulnerabilities:
- SQL Injection - Direct string concatenation in SQL queries
- Command Injection - Unsanitized user input passed to system commands
- Path Traversal - File operations without path validation
- LDAP Injection - Unescaped user input in LDAP filters
- Weak Cryptography - Use of MD5 and weak random number generation
- Hard-coded Secrets - Embedded credentials and encryption keys
The repository includes a GitHub Actions workflow (.github/workflows/codeql-analysis.yml) that:
- Runs CodeQL analysis on push and pull requests
- Uses the autobuild functionality for Java
- Includes security-and-quality queries for comprehensive coverage
- Runs weekly scheduled scans
# Compile the application
mvn clean compile
# Run tests
mvn test
# Run the application (demonstrates vulnerabilities)
mvn exec:java -Dexec.mainClass="com.example.app.VulnerableApplication"This project is for educational and demonstration purposes only.