MissionOpen · ottantotto88 · Sep 17, 2025 · Sep 17, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql b/.codeql/custom-queries/02-compliance/gdpr-data-processing-detection.ql
@@ -1,8 +1,11 @@
-// by claude (Sonnet 4)
 
 /**
  * @name GDPR Data Processing Detection
  * @description Rileva possibili violazioni GDPR nel processing di dati personali
+ * @kind problem
+ * @id java/find-sql-queries
+ * @problem.severity recommendation
+ * @tags security
  */
 
 import java

diff --git a/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql b/.codeql/custom-queries/03-standard-aziendali-interni/company-doc-template-adherence-a.ql
@@ -8,12 +8,6 @@
  * @problem.severity warning
  * @tags documentation
  *       style
- *
- * Notes:
- * - Configure requiredDocFragments with the strings (or regex fragments) that must appear in the Javadoc header according to your company template
- *   (for example: "Component:", "Owner:", "API:", "@since", "@deprecated", etc).
- * - This query heuristically checks Javadoc text exposed by the CodeQL model. If your template is maintained as Markdown files,
- *   consider adding a separate query that inspects repository Markdown files under docs/ or the template repository.
  */
 
 import java

diff --git a/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql b/.codeql/custom-queries/04-architettura-del-codice/god-class-detection.ql
@@ -8,10 +8,6 @@
  * @problem.severity warning
  * @tags architecture
  *       design
- *
- * Notes:
- * - Thresholds are conservative defaults; tune per project:
- *   methodsThreshold = 50, fieldsThreshold = 30, totalLocThreshold = 2000
  */
 
 import java

diff --git a/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql b/.codeql/custom-queries/08-resource-management/resource-leak-detection.ql
@@ -6,6 +6,7 @@
  * @kind problem
  * @id java/resource-leak-detection
  * @problem.severity warning
+ * @tags security
  */
 
 import java

diff --git a/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql b/.codeql/custom-queries/09-cryptographic-security/empt-catch-block-detection.ql
@@ -14,14 +14,7 @@ import java
 
 from CatchClause cc
 where 
-  // Il blocco catch è vuoto (non contiene statement)
   cc.getBlock().getNumStmt() = 0 and
-
-  // Oppure contiene solo commenti (blocco con solo whitespace/commenti)
   not exists(Stmt s | s.getParent() = cc.getBlock()) and
-
-  // Esclude catch di InterruptedException (spesso legittimo lasciarli vuoti)
   not cc.getVariable().getType().(RefType).hasQualifiedName("java.lang", "InterruptedException")
-
-select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti"
-
+select cc, "Blocco catch vuoto - potrebbe nascondere errori importanti"
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,18 @@
+name: "Custom CodeQL Configuration"
+
+queries:
+  - uses: ./.codeql/custom-queries
+
+disable-default-queries: true
+
+# È necessario aggiungere almeno un'istruzione query, queries, o qlpack alla definizione della suite, altrimenti non verrà selezionata alcuna query.
+# https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites
+
+# - query: path/to/query.ql
+# - queries: path/to/queries/
+# - exclude: path/to/excluded-query.ql
+# - include: another-suite.qls
+# - tags: security
+
+# Attraverso i tags nei metadati delle query CodeQL puoi selezionare (includere o escludere) facilmente gruppi di query in una query suite.
+# https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/
diff --git a/.github/workflows/codeql-advanced-setup.yml b/.github/workflows/codeql-advanced-setup.yml
diff --git a/.github/workflows/codeql-no-diff.yml b/.github/workflows/codeql-no-diff.yml
@@ -0,0 +1,63 @@
+#1) HEADER & TRIGGER
+name: "Codeql on PR / Total Scan"
+
+on:
+  pull_request:
+    branches: [ "main", ]
+
+#2) CONFIGURAZIONE JOBS
+jobs:
+  analyze:
+    name: Analyze Java - Total no Diff
+    runs-on: ubuntu-latest
+
+#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY
+    permissions:
+      security-events: write # Per scrivere risultati di sicurezza
+      packages: read # Per scaricare query pack CodeQL
+      actions: read # Per leggere altri workflow
+      contents: read # Per leggere il codice del repo
+
+#4) CHECKOUT
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+#5) SETUP JAVA
+    - name: Setup Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '21'
+
+#6) INITIALIZE CODEQL
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: java-kotlin
+        build-mode: none
+        config-file: ./.github/codeql/codeql-config.yml
+
+#7) ANALISI CODEQL
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+
+#8) DEBUG
+    - name: Debug SARIF Path
+      run: find /home/runner/work/WebGoat/ -name "*.sarif"
+
+#9) UPLOAD SARIF E CREAZIONE ARTIFACT
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v4
+      with:
+        name: sarif-report
+        path: /home/runner/work/WebGoat/results/java.sarif
+
+#10) SUMMARY
+    - name: Analysis Summary
+      run: |
+        echo "WebGoat CodeQL analysis completed"
+        echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}"
+        echo "Language: java-kotlin"
+
+
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,111 @@
+
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+
+#1) HEADER & TRIGGER
+name: "Codeql on PR / Conditional Scan NEW"
+
+on:
+  pull_request:
+    branches: [ "main" ] #Se voglio triggerare su tutti i rami = branches: [ "*" ]
+
+#2) CONFIGURAZIONE JOBS
+jobs:
+  analyze:
+    name: Analyze Java - Conditional
+    runs-on: ubuntu-latest
+
+#3) PERMESSI - DEFINISCE COSA PUO' FARE IL WORKFLOW NEL REPOSITORY
+    permissions:
+      security-events: write # Per scrivere risultati di sicurezza
+      packages: read # Per scaricare query pack CodeQL
+      actions: read # Per leggere altri workflow
+      contents: read # Per leggere il codice del repo
+
+#4) CHECKOUT
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Necessario per rilevare i file modificati
+
+#5) RILEVAMENTO FILE MODIFICATI
+    - name: Get changed files
+      id: changed-files
+      uses: tj-actions/changed-files@v44 # https://github.com/tj-actions/changed-files
+      with:
+        files: |
+          **/*.java
+          **/*.xml
+          **/*.properties
+
+#6) SETUP JAVA - CONDIZIONALE
+    - name: Setup Java
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '21'
+
+#7) INITIALIZE CODEQL - CONDIZIONALE
+    - name: Initialize CodeQL
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: github/codeql-action/init@v3
+      with:
+        languages: java-kotlin
+        build-mode: none
+        config-file: ./.github/codeql/codeql-config.yml
+        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs
+
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+#8) BUILD MANUALE - CONDIZIONALE
+    # - name: Build WebGoat - Full Project
+    #   if: steps.changed-files.outputs.any_changed == 'true'
+    #   run: |
+    #     echo "Building complete WebGoat project..."
+    #     mvn clean compile -DskipTests -q
+    #     echo "Build completed successfully"
+
+#9) ANALISI CODEQL - CONDIZIONALE
+    - name: Perform CodeQL Analysis
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: github/codeql-action/analyze@v3
+
+#10) DEBUG
+    - name: Debug SARIF Path
+      if: steps.changed-files.outputs.any_changed == 'true'
+      run: find /home/runner/work/WebGoat/ -name "*.sarif"
+
+#11) UPLOAD SARIF E CREAZIONE ARTIFACT
+    - name: Upload SARIF
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: actions/upload-artifact@v4
+      with:
+        name: sarif-report
+        path: /home/runner/work/WebGoat/results/java.sarif
+
+#12) SUMMARY
+    - name: Analysis Summary
+      if: steps.changed-files.outputs.any_changed == 'true'
+      run: |
+        echo "WebGoat CodeQL analysis completed"
+        echo "Files analyzed: ${{ steps.changed-files.outputs.all_changed_files }}"
+        echo "Language: java-kotlin"
+
+    - name: No Changes Summary
+      if: steps.changed-files.outputs.any_changed == 'false'
+      run: |
+        echo "No Java/XML/Properties files changed"
+        echo "⏭CodeQL analysis skipped for performance"
+