From 1f00f0aa22da5ec03c38728bdb54b8c1872d77f9 Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Tue, 8 Feb 2022 11:54:07 -0500 Subject: [PATCH 1/8] Create invoke_ngsast.yml --- .github/workflows/invoke_ngsast.yml | 40 +++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/invoke_ngsast.yml diff --git a/.github/workflows/invoke_ngsast.yml b/.github/workflows/invoke_ngsast.yml new file mode 100644 index 0000000..9fcbbd1 --- /dev/null +++ b/.github/workflows/invoke_ngsast.yml @@ -0,0 +1,40 @@ +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + push: + # We recommend triggering a scan when merging to your default branch as a best practice, + # especially if you'd like to compare the results of two scans (e.g., a feature branch against the + # default branch) + branches: + - main + - master +jobs: + NG-SAST-Build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app {{ .Application }} --tag branch={{`${{ github.head_ref }}`}} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --cpg target/hello-shiftleft-0.0.1.jar + + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 0ffc1a1b7b19019919e7a02368af7490c663b803 Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Tue, 8 Feb 2022 11:56:26 -0500 Subject: [PATCH 2/8] Update invoke_ngsast.yml --- .github/workflows/invoke_ngsast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/invoke_ngsast.yml b/.github/workflows/invoke_ngsast.yml index 9fcbbd1..838e6c6 100644 --- a/.github/workflows/invoke_ngsast.yml +++ b/.github/workflows/invoke_ngsast.yml @@ -33,7 +33,7 @@ jobs: with: java-version: 1.8 - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app {{ .Application }} --tag branch={{`${{ github.head_ref }}`}} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --cpg target/hello-shiftleft-0.0.1.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app sl-java-test --tag branch={{`${{ github.head_ref }}`}} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --cpg target/hello-shiftleft-0.0.1.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From 57f90d7454d687d1278c3bc86b11d8ed46aee78a Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Mon, 28 Feb 2022 12:21:29 -0500 Subject: [PATCH 3/8] Update invoke_ngsast.yml --- .github/workflows/invoke_ngsast.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/invoke_ngsast.yml b/.github/workflows/invoke_ngsast.yml index 838e6c6..ef82371 100644 --- a/.github/workflows/invoke_ngsast.yml +++ b/.github/workflows/invoke_ngsast.yml @@ -1,5 +1,6 @@ # This workflow integrates ShiftLeft NG SAST with GitHub # Visit https://docs.shiftleft.io for help +# Adding a comment here to make a change name: ShiftLeft on: From 147811d3d4e1817ab85c49cd5c624c8da032771d Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Thu, 10 Mar 2022 10:43:25 -0500 Subject: [PATCH 4/8] Update invoke_ngsast.yml --- .github/workflows/invoke_ngsast.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/invoke_ngsast.yml b/.github/workflows/invoke_ngsast.yml index ef82371..7024c6b 100644 --- a/.github/workflows/invoke_ngsast.yml +++ b/.github/workflows/invoke_ngsast.yml @@ -39,3 +39,5 @@ jobs: env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + #rescanning From 9080d2d7961662a4110dc676a49688925aefe615 Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Thu, 10 Mar 2022 11:16:20 -0500 Subject: [PATCH 5/8] Update invoke_ngsast.yml --- .github/workflows/invoke_ngsast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/invoke_ngsast.yml b/.github/workflows/invoke_ngsast.yml index 7024c6b..4aab465 100644 --- a/.github/workflows/invoke_ngsast.yml +++ b/.github/workflows/invoke_ngsast.yml @@ -34,7 +34,7 @@ jobs: with: java-version: 1.8 - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app sl-java-test --tag branch={{`${{ github.head_ref }}`}} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --cpg target/hello-shiftleft-0.0.1.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app sl-java-test --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --cpg target/hello-shiftleft-0.0.1.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From fccb7effe6a7466b1428ae6276b83f64f105e212 Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Wed, 20 Apr 2022 09:57:02 -0400 Subject: [PATCH 6/8] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 694690e..28ff8e7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# HelloShiftLeft +# HelloShiftLeft - edit This is a demo application which provides a real world representation of a REST service that uses a mix of convention and configuration to simulate a decent set of vulnerabilities exposed in the code. It includes scenarios such as sensitive data leaking to logs, data secrets leaks, authentication bypass, remote code execution, XSS vulnerabilites etc. The sample sensitive data is a mix of financial data such as account information, medical data of patients, and other PII data such as customer information. HelloShiftLeft also contains patterns/anti-patterns of how data is used/abused in interfaces or channels (to and from HTTP/TCP, third-party, database) that can lead to vulnerabilites. The application is built on the Spring Framework and exposes a series of endpoints and APIs for queries and simulating exploits. From 1fdd7cefbf472d70298e45452912b8023d0d2a43 Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Wed, 20 Apr 2022 10:01:20 -0400 Subject: [PATCH 7/8] Create shiftleft.yml --- shiftleft.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 0000000..8dad7f4 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 From 808e95e01e47d9f670a32ca4d683578ddd6717dc Mon Sep 17 00:00:00 2001 From: Mark Borrow <99207355+shiftleft-mark@users.noreply.github.com> Date: Wed, 20 Apr 2022 10:06:48 -0400 Subject: [PATCH 8/8] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 694690e..0116bd0 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# HelloShiftLeft +# HelloShiftLeft - edited This is a demo application which provides a real world representation of a REST service that uses a mix of convention and configuration to simulate a decent set of vulnerabilities exposed in the code. It includes scenarios such as sensitive data leaking to logs, data secrets leaks, authentication bypass, remote code execution, XSS vulnerabilites etc. The sample sensitive data is a mix of financial data such as account information, medical data of patients, and other PII data such as customer information. HelloShiftLeft also contains patterns/anti-patterns of how data is used/abused in interfaces or channels (to and from HTTP/TCP, third-party, database) that can lead to vulnerabilites. The application is built on the Spring Framework and exposes a series of endpoints and APIs for queries and simulating exploits.