From 2816db8b9156e67c9eaa40a86bba0aa02e442a53 Mon Sep 17 00:00:00 2001
From: Enrico Martelli <mrcnrt95e30@gmail.com>
Date: Sun, 28 Sep 2025 11:34:50 +0200
Subject: [PATCH 1/4] Add CodeQL analysis

---
 .github/workflows/unit-test.yml | 54 ++++++++++++++++++++++++++++++++-
 build.gradle                    |  2 +-
 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index 51e3e403..07b2f820 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -52,10 +52,62 @@ jobs:
         if: runner.os == 'Linux'
         with:
           name: coverage_report
-          path: .qodana/code-coverage/report.xml
+          path: build/code-coverage/report.xml
           retention-days: 1
           if-no-files-found: error
 
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        if: runner.os == 'Linux'
+        with:
+          upload: false
+          output: build/sarif-results
+
+      - name: Upload CodeQL report
+        uses: actions/upload-artifact@v4
+        if: runner.os == 'Linux'
+        with:
+          name: codeql_analysis
+          path: build/sarif-results/java.sarif
+          retention-days: 1
+          if-no-files-found: error
+
+  codeql:
+    name: Upload CodeQL analysis
+    needs: tests
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      security-events: write
+    steps:
+      - name: Checkout code changes
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: 0
+
+      - name: Download coverage report
+        uses: actions/download-artifact@v5
+        with:
+          name: codeql_analysis
+          path: build/sarif-results
+
+      - name: Filter SARIF
+        uses: advanced-security/filter-sarif@v1
+        if: runner.os == 'Linux'
+        with:
+          patterns: |
+            -.gradle/**
+            -**/generated/**
+          input: build/sarif-results/java.sarif
+          output: build/sarif-results/java.sarif
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: build/sarif-results/java.sarif
+          category: "/language:java-kotlin"
+
   qodana:
     name: Perform Qodana analysis
     if: ${{ vars.QODANA_ENABLED == 'true' }}
diff --git a/build.gradle b/build.gradle
index 0c611255..8ce4ca6c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -70,7 +70,7 @@ jacocoTestReport {
     reports {
         html.required = false
         xml.required = true
-        xml.outputLocation = file('.qodana/code-coverage/report.xml')
+        xml.outputLocation = file('build/code-coverage/report.xml')
     }
 
     afterEvaluate {

From 115dd8115f71fe0326b33bde96beb81b230dced3 Mon Sep 17 00:00:00 2001
From: Enrico Martelli <mrcnrt95e30@gmail.com>
Date: Sun, 28 Sep 2025 11:43:04 +0200
Subject: [PATCH 2/4] Add codeql init

---
 .github/workflows/unit-test.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index 07b2f820..1b8a9074 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -23,6 +23,13 @@ jobs:
       - name: Checkout code changes
         uses: actions/checkout@v5
 
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        if: runner.os == 'Linux'
+        with:
+          languages: "java"
+          queries: security-and-quality
+
       - name: Setup FFmpeg
         uses: FedericoCarboni/setup-ffmpeg@v3
         with:
@@ -106,7 +113,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: build/sarif-results/java.sarif
-          category: "/language:java-kotlin"
+          category: "/language:java"
 
   qodana:
     name: Perform Qodana analysis

From 55e14df4ebe94709e591d80f21050aa308ed6ed3 Mon Sep 17 00:00:00 2001
From: Enrico Martelli <mrcnrt95e30@gmail.com>
Date: Sun, 28 Sep 2025 11:56:12 +0200
Subject: [PATCH 3/4] Fix errors

---
 .github/workflows/unit-test.yml | 4 ++--
 build.gradle                    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index 1b8a9074..92503e4f 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -15,6 +15,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
@@ -93,7 +94,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
           fetch-depth: 0
 
-      - name: Download coverage report
+      - name: Download CodeQL anaysis
         uses: actions/download-artifact@v5
         with:
           name: codeql_analysis
@@ -101,7 +102,6 @@ jobs:
 
       - name: Filter SARIF
         uses: advanced-security/filter-sarif@v1
-        if: runner.os == 'Linux'
         with:
           patterns: |
             -.gradle/**
diff --git a/build.gradle b/build.gradle
index 8ce4ca6c..49541609 100644
--- a/build.gradle
+++ b/build.gradle
@@ -88,7 +88,7 @@ def generateCohArchive = tasks.register('generateCohArchive', Exec) {
     inputs.dir(jlink.map { it.outputDirectory.get().asFile })
 
     def java = jlink.map { it.outputDirectory.file('jre/bin/java').get().asFile.absolutePath }
-    doFirst { commandLine(java.get(), '-XX:+UseCompactObjectHeaders', '-Xshare:dump') }
+    doFirst { commandLine(java.get(), '-XX:+UseCompactObjectHeaders', '-Xshare:dump', '-XX:+AllowArchivingWithJavaAgent') }
 }
 
 jlink.configure { finalizedBy(generateCohArchive) }

From 48789c2f36cc175f0d08d52be4ff6ead57915809 Mon Sep 17 00:00:00 2001
From: Enrico Martelli <mrcnrt95e30@gmail.com>
Date: Sun, 28 Sep 2025 11:59:05 +0200
Subject: [PATCH 4/4] Fix errors

---
 .github/workflows/unit-test.yml | 2 +-
 build.gradle                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index 92503e4f..7e6ff4a5 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -94,7 +94,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
           fetch-depth: 0
 
-      - name: Download CodeQL anaysis
+      - name: Download CodeQL analysis
         uses: actions/download-artifact@v5
         with:
           name: codeql_analysis
diff --git a/build.gradle b/build.gradle
index 49541609..8f497cdb 100644
--- a/build.gradle
+++ b/build.gradle
@@ -88,7 +88,7 @@ def generateCohArchive = tasks.register('generateCohArchive', Exec) {
     inputs.dir(jlink.map { it.outputDirectory.get().asFile })
 
     def java = jlink.map { it.outputDirectory.file('jre/bin/java').get().asFile.absolutePath }
-    doFirst { commandLine(java.get(), '-XX:+UseCompactObjectHeaders', '-Xshare:dump', '-XX:+AllowArchivingWithJavaAgent') }
+    doFirst { commandLine(java.get(), '-XX:+UseCompactObjectHeaders', '-Xshare:dump', '-XX:+UnlockDiagnosticVMOptions', '-XX:+AllowArchivingWithJavaAgent') }
 }
 
 jlink.configure { finalizedBy(generateCohArchive) }