From c4550ea03d61c7236c2158a0003b162f1e2e317f Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Tue, 25 Nov 2025 15:16:14 -0500 Subject: [PATCH 01/11] [SEC-3979] codeql workflow fix --- .github/workflows/codeql.yml | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7ac6c2e1b..fda59269f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,14 +7,14 @@ on: branches: [ "master" ] jobs: - analyze: + analyze-java: name: Analyze Java - runs-on: ubuntu-latest + runs-on: 'ubuntu-latest' permissions: # required for all workflows security-events: write - # required to fetch internal or private CodeQL packsCodeQ + # required to fetch internal or private CodeQL packs packages: read # only required for workflows in private repositories @@ -26,22 +26,32 @@ jobs: matrix: include: - language: java-kotlin - build-mode: autobuild + build-mode: manual + steps: - name: Checkout repository uses: actions/checkout@v4 + with: + fetch-depth: '0' + - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + languages: java # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: ${{ matrix.language == 'java-kotlin' && 'security-extended, security-and-quality' }} + queries: security-extended,security-and-quality + + - name: Set up JDK + uses: actions/setup-java@v4 + with: + java-version: '11' # Specify the JDK version your project needs + distribution: 'temurin' + cache: maven # If the analyze step fails for one of the languages you are analyzing with # "We were unable to automatically build your code", modify the matrix above @@ -52,12 +62,7 @@ jobs: - if: matrix.build-mode == 'manual' shell: bash run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + mvn -B clean install -DskipTests - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From ff8b8bfd3e95e7b4b111387c1a2be9fdba198d0e Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Tue, 25 Nov 2025 15:19:38 -0500 Subject: [PATCH 02/11] Working on the flow --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fda59269f..e6479ae95 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,7 +25,7 @@ jobs: fail-fast: false matrix: include: - - language: java-kotlin + - language: java build-mode: manual steps: @@ -36,7 +36,7 @@ jobs: - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: java # If you wish to specify custom queries, you can do so here or in a config file. From d6b5dca191f32b8da8ce3be9438cdfcbf8a45345 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Tue, 25 Nov 2025 15:20:34 -0500 Subject: [PATCH 03/11] moved the install of jdk up --- .github/workflows/codeql.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e6479ae95..1fe07f787 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,6 +34,12 @@ jobs: with: fetch-depth: '0' + - name: Set up JDK + uses: actions/setup-java@v4 + with: + java-version: '11' # Specify the JDK version your project needs + distribution: 'temurin' + cache: maven - name: Initialize CodeQL uses: github/codeql-action/init@v4 @@ -46,12 +52,6 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: security-extended,security-and-quality - - name: Set up JDK - uses: actions/setup-java@v4 - with: - java-version: '11' # Specify the JDK version your project needs - distribution: 'temurin' - cache: maven # If the analyze step fails for one of the languages you are analyzing with # "We were unable to automatically build your code", modify the matrix above From 1d7b3ccebef1ea3706329d01cf9da41774d896f1 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Tue, 25 Nov 2025 15:22:49 -0500 Subject: [PATCH 04/11] working on the build --- .github/workflows/codeql.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1fe07f787..61cfa0765 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,12 +34,7 @@ jobs: with: fetch-depth: '0' - - name: Set up JDK - uses: actions/setup-java@v4 - with: - java-version: '11' # Specify the JDK version your project needs - distribution: 'temurin' - cache: maven + - name: Initialize CodeQL uses: github/codeql-action/init@v4 @@ -52,6 +47,16 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: security-extended,security-and-quality + - name: Set up JDK + uses: actions/setup-java@v4 + with: + java-version: '11' # Specify the JDK version your project needs + distribution: 'temurin' + cache: maven + - name: Build with Maven + run: mvn clean test --file pom.xml + working-directory: ${{github.workspace}} + # If the analyze step fails for one of the languages you are analyzing with # "We were unable to automatically build your code", modify the matrix above From fd4c89cbe9bac2b39a51124f35a438cbad470f24 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 1 Dec 2025 09:50:20 -0500 Subject: [PATCH 05/11] working on the build again --- .github/workflows/codeql.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 61cfa0765..5ba7bb23d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,12 +50,9 @@ jobs: - name: Set up JDK uses: actions/setup-java@v4 with: - java-version: '11' # Specify the JDK version your project needs + java-version: '11' distribution: 'temurin' cache: maven - - name: Build with Maven - run: mvn clean test --file pom.xml - working-directory: ${{github.workspace}} # If the analyze step fails for one of the languages you are analyzing with From 0db074dc86bac8a3e81788061b835f42b749af88 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 1 Dec 2025 09:52:26 -0500 Subject: [PATCH 06/11] more build issues --- .github/workflows/codeql.yml | 30 ++++-------------------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5ba7bb23d..34fd8dead 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,13 +11,8 @@ jobs: name: Analyze Java runs-on: 'ubuntu-latest' permissions: - # required for all workflows security-events: write - - # required to fetch internal or private CodeQL packs packages: read - - # only required for workflows in private repositories actions: read contents: read @@ -26,47 +21,30 @@ jobs: matrix: include: - language: java - build-mode: manual steps: - name: Checkout repository uses: actions/checkout@v4 with: + # Fetch all history to ensure accurate CodeQL analysis fetch-depth: '0' - - - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: java - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: security-extended,security-and-quality - - name: Set up JDK + - name: Set up JDK (with fixed cache path) 💡 uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' cache: maven + cache-dependency-path: '**/pom.xml' - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - mvn -B clean install -DskipTests - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - category: "/language:${{matrix.language}}" + category: "/language:${{matrix.language}}" \ No newline at end of file From f5f568cea77b25e9cabf2b4993294129fa06b25b Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 1 Dec 2025 09:54:00 -0500 Subject: [PATCH 07/11] working on trying to find the pom file --- .github/workflows/codeql.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 34fd8dead..60ac0c175 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,9 +26,14 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - # Fetch all history to ensure accurate CodeQL analysis fetch-depth: '0' + - name: DEBUG - List Files 💡 + run: | + # The current working directory is already the root of the checked-out repo + pwd + ls -R + - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: From 1f52c2be2cdec8a3844a7a650dbdfe791c7b0773 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 1 Dec 2025 10:04:53 -0500 Subject: [PATCH 08/11] working on trying to get it to build --- .github/workflows/codeql.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 60ac0c175..1b29a2eb0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,6 +21,7 @@ jobs: matrix: include: - language: java + build-mode: manual steps: - name: Checkout repository @@ -45,8 +46,9 @@ jobs: with: java-version: '11' distribution: 'temurin' - cache: maven - cache-dependency-path: '**/pom.xml' + + - name: CodeQL Manual Build and Install (Traced) + run: mvn -B clean install -DskipTests - name: Perform CodeQL Analysis From 3f7157c51cf1a3e72a8d8746a5cf26ea64d1b9e8 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 1 Dec 2025 13:21:21 -0500 Subject: [PATCH 09/11] working on trying to get it to build --- .github/workflows/codeql.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1b29a2eb0..1b6eac4db 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,27 +29,28 @@ jobs: with: fetch-depth: '0' - - name: DEBUG - List Files 💡 - run: | - # The current working directory is already the root of the checked-out repo - pwd - ls -R - - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: java queries: security-extended,security-and-quality - - name: Set up JDK (with fixed cache path) 💡 + - name: Set up JDK (configured for Gradle) uses: actions/setup-java@v4 with: java-version: '11' distribution: 'temurin' + cache: gradle + cache-dependency-path: | + **/build.gradle + **/settings.gradle + **/gradle-wrapper.properties - - name: CodeQL Manual Build and Install (Traced) - run: mvn -B clean install -DskipTests + - name: Configure Gradle Wrapper Permissions + run: chmod +x gradlew + - name: CodeQL Manual Build with Gradle (Traced) + run: ./gradlew assembleRelease -x test -x lint - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From c4968b1fa45adc8fbc48b6178d79d1d66fa00dcc Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 1 Dec 2025 13:23:42 -0500 Subject: [PATCH 10/11] working on trying to get it to build again --- .github/workflows/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1b6eac4db..0804e61cf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,6 +46,9 @@ jobs: **/settings.gradle **/gradle-wrapper.properties + - name: Set up Android SDK + uses: android-actions/setup-android@v3 + - name: Configure Gradle Wrapper Permissions run: chmod +x gradlew From 14f5aa06bac16bae4e8317149973093b0d68adf3 Mon Sep 17 00:00:00 2001 From: Randall Wyatt Date: Mon, 1 Dec 2025 13:25:35 -0500 Subject: [PATCH 11/11] working on trying to get it to build again --- .github/workflows/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0804e61cf..b7f54bfc3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,8 @@ jobs: - name: Set up JDK (configured for Gradle) uses: actions/setup-java@v4 with: - java-version: '11' + # CHANGE: Update the version from '11' to '17' + java-version: '17' distribution: 'temurin' cache: gradle cache-dependency-path: |