Add CodeQL analysis

[MartelliEnrico]

Summary by CodeRabbit

• Chores

  • Added automated CodeQL security analysis in CI with results uploaded for visibility.
  • CI now filters analysis results to exclude generated and build-related paths and includes a dedicated analysis workflow.

• Tests

  • Code coverage report now written to the standard build directory for better tool integration.
  • No changes to test execution or outcomes.

[coderabbitai]

Warning

Rate limit exceeded

@MartelliEnrico has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 6 minutes and 0 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 115dd81 and 48789c2.

📒 Files selected for processing (2)

• .github/workflows/unit-test.yml (3 hunks)
• build.gradle (2 hunks)

📝 Walkthrough

Walkthrough

Updates CI to write JaCoCo XML to build/code-coverage/report.xml and introduce a two-stage CodeQL flow: run CodeQL during unit-tests (Linux) producing SARIF as an artifact, then a separate codeql job downloads, filters, and uploads the SARIF. Qodana steps remain unchanged.

Changes

Cohort / File(s)	Summary of Changes
CI workflow: unit tests & CodeQL .github/workflows/unit-test.yml	- Initialize CodeQL in the tests job (Linux) with language set to Java and queries including security-and-quality. - Change coverage upload path to build/code-coverage/report.xml (from .qodana/...). - Add CodeQL analysis step in tests job that disables upload and writes SARIF to build/sarif-results. - Upload SARIF as artifact codeql_analysis. - Add separate codeql job that checks out full history, downloads codeql_analysis, filters SARIF to exclude generated and Gradle paths, and uploads filtered SARIF to CodeQL. Qodana steps unchanged.
Build configuration: JaCoCo report build.gradle	Update JaCoCo XML report destination to build/code-coverage/report.xml; no behavioural changes beyond the path.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Actions
  participant UT as unit-tests (Linux)
  participant Art as Artifact Store
  participant CQ as codeql job
  participant CodeQL as CodeQL Service
  participant Q as Qodana

  GH->>UT: Checkout repo
  UT->>UT: Run tests & JaCoCo -> build/code-coverage/report.xml
  UT->>UT: Init CodeQL (Java, security-and-quality)
  UT->>UT: Run CodeQL analysis (upload disabled) -> build/sarif-results/*.sarif
  UT->>Art: Upload artifact "codeql_analysis"
  UT->>Q: Run Qodana (unchanged)

  GH->>CQ: Start codeql job (needs: unit-tests)
  CQ->>CQ: Checkout with full history
  CQ->>Art: Download "codeql_analysis" -> build/sarif-results
  CQ->>CQ: Filter SARIF (exclude generated & Gradle paths)
  CQ->>CodeQL: Upload filtered SARIF
  CodeQL-->>CQ: Acknowledge upload

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A rabbit nudges CI logs bright, 🐇
Moves coverage up into the light.
CodeQL hops, then saves its song—
Packaged SARIF wanders along.
Qodana hums; pipelines delight.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title “Add CodeQL analysis” succinctly and accurately describes the primary change in this pull request, which introduces CodeQL scanning steps and related workflow modifications to the repository.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f03ec8 and 2816db8.

📒 Files selected for processing (2)

• .github/workflows/unit-test.yml (1 hunks)
• build.gradle (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Execute unit tests (windows-latest)
• GitHub Check: Execute unit tests (ubuntu-latest)
• GitHub Check: Execute unit tests (macos-13)

🔇 Additional comments (1)

build.gradle (1)

73-74: Coverage report path aligns with artifact upload.
The JaCoCo XML target now points at build/code-coverage/report.xml, matching the workflow upload path without needing extra wiring.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/unit-test.yml (1)

57-65: Coverage artifact path likely breaks Qodana consumption.

Uploading a single file at build/code-coverage/report.xml means the downloaded artifact lands under .qodana/code-coverage/build/code-coverage/report.xml, while Qodana expects .qodana/code-coverage/report.xml by default. Add a normalisation step in the Qodana job after download (or change Qodana config to point at the nested path).

Apply this diff in the qodana job to normalise the path:

       - name: Download coverage report
         uses: actions/download-artifact@v5
         with:
           name: coverage_report
           path: .qodana/code-coverage
+
+      - name: Normalise coverage path for Qodana
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          src=".qodana/code-coverage/build/code-coverage/report.xml"
+          dst=".qodana/code-coverage/report.xml"
+          if [ -f "$src" ]; then
+            mv "$src" "$dst"
+          else
+            echo "Coverage XML not found at $src" >&2
+            exit 1
+          fi

🧹 Nitpick comments (1)

.github/workflows/unit-test.yml (1)

82-117: Minor polish: step naming and redundant condition.

• Lines 96‑101: The step name says “Download coverage report” but downloads CodeQL SARIF. Rename for clarity.
• Lines 102‑111: The job runs on ubuntu‑latest; if: runner.os == 'Linux' is redundant here.

Apply this diff to tidy up:

-      - name: Download coverage report
+      - name: Download CodeQL analysis artifact
         uses: actions/download-artifact@v5
         with:
           name: codeql_analysis
           path: build/sarif-results

-      - name: Filter SARIF
-        uses: advanced-security/filter-sarif@v1
-        if: runner.os == 'Linux'
+      - name: Filter SARIF
+        uses: advanced-security/filter-sarif@v1
         with:
           patterns: |
             -.gradle/**
             -**/generated/**
           input: build/sarif-results/java.sarif
           output: build/sarif-results/java.sarif

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2816db8 and 115dd81.

📒 Files selected for processing (1)

• .github/workflows/unit-test.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Execute unit tests (windows-latest)
• GitHub Check: Execute unit tests (macos-13)

🔇 Additional comments (4)

.github/workflows/unit-test.yml (4)

26-32: Good fix: CodeQL initialised before build.

This addresses the previous blocker; Linux guard and query set look fine.

---

66-72: CodeQL analyse step looks correct.

Running analyse after the Gradle build with upload disabled and a custom output dir is the right setup for the two‑stage flow.

---

73-81: Artifact upload for SARIF is set up well.

Name, path, and retention are sensible; Linux guard matches the rest.

---

39-44: All set: gradle-wrapper.properties uses Gradle 9.1.0 (adds Java 25 support in 9.1.0+) (docs.gradle.org) and actions/setup-java@v5 will provision Temurin 25 on Linux, Windows, and macOS (downloads on-flight if not in the hosted cache) (github.com)

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.