Test codeql

.devcontainer/Dockerfile

@@ -3,12 +3,13 @@ FROM ubuntu:22.04 AS codeql_base
 # # tzdata install needs to be non-interactive
 # ENV DEBIAN_FRONTEND=noninteractive
 
-ARG USERNAME=codeql
+ARG USERNAME=root
 ARG CODEQL_HOME=/usr/local/codeql-home
 
 # create user, install/update basics and python
-RUN adduser --home ${CODEQL_HOME} ${USERNAME} && \
-    apt-get update && \
+RUN mkdir ${CODEQL_HOME}
+
+RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends \
         software-properties-common \
@@ -30,7 +31,8 @@ RUN adduser --home ${CODEQL_HOME} ${USERNAME} && \
         gcc \
         apt-utils \
         && \
-        apt-get clean
+        apt-get clean \
+        docker-cli
 
 # Install Go
 ARG GOVER=1.21.5

.devcontainer/csharp/devcontainer.json

@@ -1,23 +1,27 @@
-{
-	"name": "CodeQL-CSharp",
-    "build": { "dockerfile": "../Dockerfile" },
-    "features": {
-		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
-	},
-	"customizations": {
-        "extensions": [
-            "ms-vscode-remote.remote-containers"			
-        ],
-        "vscode": {
-            "settings": {
-                "terminal.integrated.shell.linux": "/bin/bash"
-			},
-			"extensions": [
-				"github.vscode-codeql",
-				"MS-SarifVSCode.sarif-viewer",
-				"ms-dotnettools.csharp",
-				"ms-dotnettools.csdevkit"
-			]
-        }
-    }
-  }
+{
+	"name": "CodeQL-CSharp",
+    "build": { "dockerfile": "../Dockerfile" },
+    "features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/devcontainers-contrib/features/act-asdf:2": {},
+		"ghcr.io/devcontainers/features/github-cli:1": {}
+	},
+    "runArgs": ["--privileged"],
+    "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
+	"customizations": {
+        "extensions": [
+            "ms-vscode-remote.remote-containers"			
+        ],
+        "vscode": {
+            "settings": {
+                "terminal.integrated.shell.linux": "/bin/bash"
+			},
+			"extensions": [
+				"github.vscode-codeql",
+				"MS-SarifVSCode.sarif-viewer",
+				"ms-dotnettools.csharp",
+				"ms-dotnettools.csdevkit"
+			]
+        }
+    }
+  }

.devcontainer/devcontainer.json

@@ -1,21 +1,25 @@
-{
-	"name": "CodeQL",
-    "build": { "dockerfile": "Dockerfile" },
-    "features": {
-		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
-	},
-	"customizations": {
-        "extensions": [
-            "ms-vscode-remote.remote-containers"			
-        ],
-        "vscode": {
-            "settings": {
-                "terminal.integrated.shell.linux": "/bin/bash"
-			},
-			"extensions": [
-				"github.vscode-codeql",
-                "MS-SarifVSCode.sarif-viewer"
-			]
-        }
-    }
-  }
+{
+	"name": "CodeQL",
+    "build": { "dockerfile": "Dockerfile" },
+    "features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/devcontainers-contrib/features/act-asdf:2": {},
+        "ghcr.io/devcontainers/features/github-cli:1": {}
+	},
+    "runArgs": ["--privileged"],
+    "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
+	"customizations": {
+        "extensions": [
+            "ms-vscode-remote.remote-containers"			
+        ],
+        "vscode": {
+            "settings": {
+                "terminal.integrated.shell.linux": "/bin/bash"
+			},
+			"extensions": [
+				"github.vscode-codeql",
+                "MS-SarifVSCode.sarif-viewer"
+			]
+        }
+    }
+  }

.devcontainer/kotlin/devcontainer.json

@@ -0,0 +1,28 @@
+{
+	"name": "CodeQL-Kotlin",
+    "build": { "dockerfile": "../Dockerfile" },
+    "features": {
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+		"ghcr.io/devcontainers-contrib/features/act-asdf:2": {},
+		"ghcr.io/devcontainers/features/github-cli:1": {},
+		"ghcr.io/devcontainers/features/java:1": {},
+		"ghcr.io/devcontainers-extra/features/gradle-sdkman:2": {},
+		"ghcr.io/devcontainers-extra/features/kotlin-sdkman:2": {}
+	},
+    "runArgs": ["--privileged"],
+    "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
+	"customizations": {
+        "extensions": [
+            "ms-vscode-remote.remote-containers"			
+        ],
+        "vscode": {
+            "settings": {
+                "terminal.integrated.shell.linux": "/bin/bash"
+			},
+			"extensions": [
+				"github.vscode-codeql",
+                "MS-SarifVSCode.sarif-viewer"
+			]
+        }
+    }
+  }

.devcontainer/node/devcontainer.json

@@ -1,22 +1,26 @@
-{
-	"name": "CodeQL-Node",
-    "build": { "dockerfile": "../Dockerfile" },
-    "features": {
-		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
-        "ghcr.io/devcontainers/features/node:1": {}
-	},
-	"customizations": {
-        "extensions": [
-            "ms-vscode-remote.remote-containers"			
-        ],
-        "vscode": {
-            "settings": {
-                "terminal.integrated.shell.linux": "/bin/bash"
-			},
-			"extensions": [
-				"github.vscode-codeql",
-                "MS-SarifVSCode.sarif-viewer"
-			]
-        }
-    }
-  }
+{
+	"name": "CodeQL-Node",
+    "build": { "dockerfile": "../Dockerfile" },
+    "features": {
+		"ghcr.io/devcontainers/features/node:1": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+		"ghcr.io/devcontainers-contrib/features/act-asdf:2": {},
+		"ghcr.io/devcontainers/features/github-cli:1": {}
+	},
+    "runArgs": ["--privileged"],
+    "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
+	"customizations": {
+        "extensions": [
+            "ms-vscode-remote.remote-containers"			
+        ],
+        "vscode": {
+            "settings": {
+                "terminal.integrated.shell.linux": "/bin/bash"
+			},
+			"extensions": [
+				"github.vscode-codeql",
+                "MS-SarifVSCode.sarif-viewer"
+			]
+        }
+    }
+  }

.devcontainer/python/devcontainer.json

@@ -1,22 +1,26 @@
-{
-	"name": "CodeQL-Python",
-    "build": { "dockerfile": "../Dockerfile" },
-    "features": {
-		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
-        "ghcr.io/devcontainers/features/python:1": {}
-	},
-	"customizations": {
-        "extensions": [
-            "ms-vscode-remote.remote-containers"			
-        ],
-        "vscode": {
-            "settings": {
-                "terminal.integrated.shell.linux": "/bin/bash"
-			},
-			"extensions": [
-				"github.vscode-codeql",
-                "MS-SarifVSCode.sarif-viewer"
-			]
-        }
-    }
-  }
+{
+	"name": "CodeQL-Python",
+    "build": { "dockerfile": "../Dockerfile" },
+    "features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/devcontainers/features/python:1": {},
+        "ghcr.io/devcontainers-contrib/features/act-asdf:2": {},
+		"ghcr.io/devcontainers/features/github-cli:1": {}
+	},
+    "runArgs": ["--privileged"],
+    "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
+	"customizations": {
+        "extensions": [
+            "ms-vscode-remote.remote-containers"			
+        ],
+        "vscode": {
+            "settings": {
+                "terminal.integrated.shell.linux": "/bin/bash"
+			},
+			"extensions": [
+				"github.vscode-codeql",
+                "MS-SarifVSCode.sarif-viewer"
+			]
+        }
+    }
+  }

.github/workflows/codeql-cli.yaml

@@ -4,7 +4,7 @@ on:
     branches: [ "main" ]
 
 jobs:
-  analyze:
+  analyze-cli:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository

.github/workflows/codeql-kotlin.yaml

@@ -0,0 +1,49 @@
+name: "CodeQL Advanced - Kotlin"
+
+on:
+  pull_request:
+    branches: [ "main" ]
+  push:
+    branches:
+      - main
+
+
+jobs:
+  analyze-kotlin:
+    name: Analyze Kotlin
+    runs-on: 'ubuntu-latest'
+    permissions:
+      actions: write
+      contents: read
+      packages: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: java-kotlin
+          build-mode: manual
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: java-kotlin
+        queries: security-extended
+
+    - name: Build Project
+      shell: bash
+      run: |
+        cd kotlin-sample; gradle build --info
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
+
+

.github/workflows/codeql.yaml

@@ -13,11 +13,10 @@ jobs:
     name: Analyze (${{ matrix.language }})
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
+      actions: write
+      contents: read
       packages: read
+      security-events: write
 
     strategy:
       fail-fast: false

kotlin-sample/.gitattributes

@@ -0,0 +1,12 @@
+#
+# https://help.github.com/articles/dealing-with-line-endings/
+#
+# Linux start script should use lf
+/gradlew        text eol=lf
+
+# These are Windows script files and should use crlf
+*.bat           text eol=crlf
+
+# Binary files should be left untouched
+*.jar           binary
+

kotlin-sample/.gitignore

@@ -0,0 +1,5 @@
+# Ignore Gradle project-specific cache directory
+.gradle
+
+# Ignore Gradle build output directory
+build

kotlin-sample/app/build.gradle.kts

@@ -0,0 +1,52 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * This generated file contains a sample Kotlin application project to get you started.
+ * For more details on building Java & JVM projects, please refer to https://docs.gradle.org/8.10.2/userguide/building_java_projects.html in the Gradle documentation.
+ */
+
+plugins {
+    // Apply the org.jetbrains.kotlin.jvm Plugin to add support for Kotlin.
+    alias(libs.plugins.kotlin.jvm)
+
+    // Apply the application plugin to add support for building a CLI application in Java.
+    application
+}
+
+repositories {
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
+}
+
+dependencies {
+    // Use the Kotlin JUnit 5 integration.
+    testImplementation("org.jetbrains.kotlin:kotlin-test-junit5")
+
+    // Use the JUnit 5 integration.
+    testImplementation(libs.junit.jupiter.engine)
+
+    testRuntimeOnly("org.junit.platform:junit-platform-launcher")
+
+    // This dependency is used by the application.
+    implementation(libs.guava)
+
+    implementation("mysql:mysql-connector-java:8.0.33") // MySQL driver for JDBC
+    testImplementation(kotlin("test"))
+}
+
+// Apply a specific Java toolchain to ease working on different environments.
+java {
+    toolchain {
+        languageVersion = JavaLanguageVersion.of(21)
+    }
+}
+
+application {
+    // Define the main class for the application.
+    mainClass = "org.example.AppKt"
+}
+
+tasks.named<Test>("test") {
+    // Use JUnit Platform for unit tests.
+    useJUnitPlatform()
+}