diff --git a/.github/workflows/AutofixPRnBR.yml b/.github/workflows/AutofixPRnBR.yml new file mode 100644 index 00000000..05161a86 --- /dev/null +++ b/.github/workflows/AutofixPRnBR.yml @@ -0,0 +1,41 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: QwietAFPRnBR + +on: + pull_request: + workflow_dispatch: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 11 * * 6' +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + #- name: Package with maven + # run: mvn clean package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} + #run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-Multi-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + diff --git a/.github/workflows/QwietMLtest.yml b/.github/workflows/QwietMLtest.yml new file mode 100644 index 00000000..655e41d5 --- /dev/null +++ b/.github/workflows/QwietMLtest.yml @@ -0,0 +1,41 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + java-version: 11.0.x + distribution: zulu + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 diff --git a/.github/workflows/QwietPRBF.yml b/.github/workflows/QwietPRBF.yml new file mode 100644 index 00000000..1bf99c4f --- /dev/null +++ b/.github/workflows/QwietPRBF.yml @@ -0,0 +1,85 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: QwietQual + +on: + pull_request: + workflow_dispatch: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 11 * * 6' +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 11 + #- name: Package with maven + # run: mvn clean package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-javatoo --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} + #run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-Multi-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + - name: Run Bestfix script to generate report + shell: bash + if: github.event_name == 'pull_request' + run: | + git clone https://github.com/gzttech/beautifulspoon.git + pip3 install beautifulspoon + git clone https://github.com/ShiftLeftSecurity/field-integrations.git + pip3 install -r field-integrations/shiftleft-utils/requirements.txt + python3 field-integrations/shiftleft-utils/bestfix.py -a ${{ github.event.repository.name }} -o $GITHUB_WORKSPACE/ngsast-bestfix-report.html + bspoon $GITHUB_WORKSPACE/ngsast-bestfix-report.html --select body > $GITHUB_WORKSPACE/qwiet.html + BESTFIX_OUTPUT=$(cat $GITHUB_WORKSPACE/ngsast-bestfix-report.html) + BESTFIX_BODY=$(jq -n --arg body "$BESTFIX_OUTPUT" '{body: $body}') + + url="https://api.github.com/repos/${{ github.repository_owner }}/${{ github.event.repository.name }}/issues/${{github.event.number}}/comments" + + curl -s -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${GH_API_TOKEN}" \ + -d "${BESTFIX_BODY}" \ + "${url}" + env: + GH_API_TOKEN: ${{ secrets.API_TOKEN }} + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }} + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app Qwiet-javatoo \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + diff --git a/.github/workflows/TSdemo.yml b/.github/workflows/TSdemo.yml new file mode 100644 index 00000000..7484846c --- /dev/null +++ b/.github/workflows/TSdemo.yml @@ -0,0 +1,59 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: QwietTest + +on: + pull_request: + workflow_dispatch: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 11 * * 6' +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Package with maven + run: mvn clean package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN0 }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN0 }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + diff --git a/.github/workflows/TestSecTab.yml b/.github/workflows/TestSecTab.yml new file mode 100644 index 00000000..d5095ad5 --- /dev/null +++ b/.github/workflows/TestSecTab.yml @@ -0,0 +1,68 @@ +# This workflow integrates QwietAI preZero SAST with GitHub and exports SARIF results to the Security Tab +name: QwietAFPRnBR2 + +on: + pull_request: + workflow_dispatch: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 11 * * 6' + +permissions: + security-events: write # Ensure proper permissions to upload SARIF results + +jobs: + QwietAI-preZero-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Setup Java JDK v8 + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 8 + + - name: Download QwietAI CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + + - name: QwietAI preZero Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app Qwietjavatab --verbose --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} . -- --exclude common.py,export2.py,export3.py,export4.py + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + + - name: Download export.py and requirements.txt + run: | + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt + - name: Verify export.py file exists + run: | + ls -la ${GITHUB_WORKSPACE} + + - name: Install Python dependencies + run: | + python3 -m pip install --upgrade pip + python3 -m pip install -r requirements.txt + + - name: Run export.py and generate SARIF report + run: | + #APP_NAME=${{ github.event.repository.name }} + python3 ${GITHUB_WORKSPACE}/export.py -f sarif -a Qwietjavatab + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Upload SARIF file to GitHub Security Tab + uses: github/codeql-action/upload-sarif@v3 # Updated to v3 + with: + sarif_file: ./ngsast-report-Qwietjavatab.sarif # Correct dynamic path for SARIF output diff --git a/.github/workflows/poc.yml b/.github/workflows/poc.yml new file mode 100644 index 00000000..594c89e4 --- /dev/null +++ b/.github/workflows/poc.yml @@ -0,0 +1,112 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: QwietPoC + +on: + pull_request: + workflow_dispatch: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 11 * * 6' +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 11 + #- name: Package with maven + # run: mvn clean package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app QwietAI-MultiLang --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} + #run: QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-Multi-GH --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + - name: Run Bestfix script to generate report + shell: bash + if: github.event_name == 'pull_request' + run: | + git clone https://github.com/gzttech/beautifulspoon.git + pip3 install beautifulspoon + git clone https://github.com/ShiftLeftSecurity/field-integrations.git + pip3 install -r field-integrations/shiftleft-utils/requirements.txt + python3 field-integrations/shiftleft-utils/bestfix.py -a ${{ github.event.repository.name }} -o $GITHUB_WORKSPACE/ngsast-bestfix-report.html + bspoon $GITHUB_WORKSPACE/ngsast-bestfix-report.html --select body > $GITHUB_WORKSPACE/qwiet.html + BESTFIX_OUTPUT=$(cat $GITHUB_WORKSPACE/ngsast-bestfix-report.html) + BESTFIX_BODY=$(jq -n --arg body "$BESTFIX_OUTPUT" '{body: $body}') + + url="https://api.github.com/repos/${{ github.repository_owner }}/${{ github.event.repository.name }}/issues/${{github.event.number}}/comments" + + curl -s -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${GH_API_TOKEN}" \ + -d "${BESTFIX_BODY}" \ + "${url}" + env: + GH_API_TOKEN: ${{ secrets.API_TOKEN }} + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }} + - name: Download export.py and requirements.txt + run: | + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py + curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt + - name: Verify export.py file exists + run: | + ls -la ${GITHUB_WORKSPACE} + + - name: Install Python dependencies + run: | + python3 -m pip install --upgrade pip + python3 -m pip install -r requirements.txt + + - name: Run export.py and generate SARIF report + run: | + #APP_NAME=${{ github.event.repository.name }} + python3 ${GITHUB_WORKSPACE}/export.py -f sarif -a QwietAI-MultiLang + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }} + + - name: Upload SARIF file to GitHub Security Tab + uses: github/codeql-action/upload-sarif@v3 # Updated to v3 + with: + sarif_file: ./ngsast-report-QwietAI-MultiLang.sarif # Correct dynamic path for SARIF output + + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app QwietAI-MultiLang \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN_POC }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 00000000..26556934 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,60 @@ +--- +# This workflow integrates qwiet.ai preZero with GitHub +# Visit https://docs.shiftleft.io for help +name: qwiet.ai + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Setup Java JDK v11.0.x + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 11.0.x + + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + + - name: preZero Static Analysis + run: | + ${GITHUB_WORKSPACE}/sl --version + ${GITHUB_WORKSPACE}/sl analyze --strict --wait \ + --app shiftleft-java-demo \ + --tag branch=${{ github.head_ref }} \ + --javasrc --container 18fgsa/s3-resource . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + + Build-Rules: + runs-on: ubuntu-latest + permissions: write-all + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + + diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000..790332ec --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,61 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: QwietTestNT + +on: + pull_request: + workflow_dispatch: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 11 * * 6' +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + #- name: Package with maven + # run: mvn clean package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + #run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "io/shiftleft=src/main/java/" --java --container 18fgsa/s3-resource target/hello-shiftleft-0.0.1.jar + run: | + QWIET_EXTERNAL_SECRETS=true QWIET_ENABLE_MULTI_LANGUAGE_ANALYSIS=true ${GITHUB_WORKSPACE}/sl analyze --app Qwiet-java-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app Qwiet-java-GH \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + diff --git a/.harness/Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set-1696867749886.yaml b/.harness/Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set-1696867749886.yaml new file mode 100644 index 00000000..9f276314 --- /dev/null +++ b/.harness/Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set-1696867749886.yaml @@ -0,0 +1,14 @@ +inputSet: + name: Build_shiftleft_java_demo_1696867748935-pr-trigger-input-set + identifier: Build_shiftleft_java_demo_1696867748935prtriggerinputset + orgIdentifier: default + projectIdentifier: QwietjavaHarness + pipeline: + identifier: Build_shiftleft_java_demo_1696867748935 + properties: + ci: + codebase: + build: + type: PR + spec: + number: <+trigger.prNumber> diff --git a/.harness/Build_shiftleft_java_demo_1696867748935-push-trigger-input-set-1696867750867.yaml b/.harness/Build_shiftleft_java_demo_1696867748935-push-trigger-input-set-1696867750867.yaml new file mode 100644 index 00000000..1a1cc5a6 --- /dev/null +++ b/.harness/Build_shiftleft_java_demo_1696867748935-push-trigger-input-set-1696867750867.yaml @@ -0,0 +1,14 @@ +inputSet: + name: Build_shiftleft_java_demo_1696867748935-push-trigger-input-set + identifier: Build_shiftleft_java_demo_1696867748935pushtriggerinputset + orgIdentifier: default + projectIdentifier: QwietjavaHarness + pipeline: + identifier: Build_shiftleft_java_demo_1696867748935 + properties: + ci: + codebase: + build: + type: branch + spec: + branch: <+trigger.branch> diff --git a/.harness/Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set-1696878708669.yaml b/.harness/Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set-1696878708669.yaml new file mode 100644 index 00000000..20ebf2a7 --- /dev/null +++ b/.harness/Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set-1696878708669.yaml @@ -0,0 +1,14 @@ +inputSet: + name: Build_shiftleft_java_demo_1696878707672-pr-trigger-input-set + identifier: Build_shiftleft_java_demo_1696878707672prtriggerinputset + orgIdentifier: default + projectIdentifier: QwietjavaHarn + pipeline: + identifier: Build_shiftleft_java_demo_1696878707672 + properties: + ci: + codebase: + build: + type: PR + spec: + number: <+trigger.prNumber> diff --git a/.harness/Build_shiftleft_java_demo_1696878707672-push-trigger-input-set-1696878709630.yaml b/.harness/Build_shiftleft_java_demo_1696878707672-push-trigger-input-set-1696878709630.yaml new file mode 100644 index 00000000..da043653 --- /dev/null +++ b/.harness/Build_shiftleft_java_demo_1696878707672-push-trigger-input-set-1696878709630.yaml @@ -0,0 +1,14 @@ +inputSet: + name: Build_shiftleft_java_demo_1696878707672-push-trigger-input-set + identifier: Build_shiftleft_java_demo_1696878707672pushtriggerinputset + orgIdentifier: default + projectIdentifier: QwietjavaHarn + pipeline: + identifier: Build_shiftleft_java_demo_1696878707672 + properties: + ci: + codebase: + build: + type: branch + spec: + branch: <+trigger.branch> diff --git a/.harness/pipelines/shiftleft-java-demo-1696867734408.yaml b/.harness/pipelines/shiftleft-java-demo-1696867734408.yaml new file mode 100644 index 00000000..fa2e49bc --- /dev/null +++ b/.harness/pipelines/shiftleft-java-demo-1696867734408.yaml @@ -0,0 +1,33 @@ +pipeline: + identifier: Build_shiftleft_java_demo_1696867748935 + name: Build shiftleft-java-demo + orgIdentifier: default + projectIdentifier: QwietjavaHarness + properties: + ci: + codebase: + build: <+input> + connectorRef: account.Github_OAuth_1696007572273 + repoName: shiftleft-java-demo + stages: + - stage: + identifier: build + name: build + spec: + cloneCodebase: true + execution: + steps: + - step: + identifier: echo + name: echo + spec: + command: echo hello world + timeout: "" + type: Run + platform: + arch: Amd64 + os: Linux + runtime: + spec: {} + type: Cloud + type: CI diff --git a/.harness/pipelines/shiftleft-java-demo-1696878690934.yaml b/.harness/pipelines/shiftleft-java-demo-1696878690934.yaml new file mode 100644 index 00000000..426d8459 --- /dev/null +++ b/.harness/pipelines/shiftleft-java-demo-1696878690934.yaml @@ -0,0 +1,33 @@ +pipeline: + identifier: Build_shiftleft_java_demo_1696878707672 + name: Build shiftleft-java-demo + orgIdentifier: default + projectIdentifier: QwietjavaHarn + properties: + ci: + codebase: + build: <+input> + connectorRef: account.Github_OAuth_1696007572273 + repoName: shiftleft-java-demo + stages: + - stage: + identifier: build + name: build + spec: + cloneCodebase: true + execution: + steps: + - step: + identifier: echo + name: echo + spec: + command: echo hello world + timeout: "" + type: Run + platform: + arch: Amd64 + os: Linux + runtime: + spec: {} + type: Cloud + type: CI diff --git a/WORKSPACE b/WORKSPACE new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/WORKSPACE @@ -0,0 +1 @@ + diff --git a/maven.sh b/maven.sh new file mode 100644 index 00000000..b0a12425 --- /dev/null +++ b/maven.sh @@ -0,0 +1,17 @@ +mvn_version=${mvn_version:-3.8.5} +url="http://www.mirrorservice.org/sites/ftp.apache.org/maven/maven-3/${mvn_version}/binaries/apache-maven-${mvn_version}-bin.tar.gz" +install_dir="/opt/maven" + +mkdir ${install_dir} +curl -fsSL ${url} | tar zx --strip-components=1 -C ${install_dir} +cat << EOF > /etc/profile.d/maven.sh +#!/bin/sh +export MAVEN_HOME=${install_dir} +export M2_HOME=${install_dir} +export M2=${install_dir}/bin +export PATH=${install_dir}/bin:$PATH +EOF +source /etc/profile.d/maven.sh +echo maven installed to ${install_dir} +mvn --version +mvn clean package diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 00000000..9258e2a1 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,22 @@ +version: 2 # implies that check-analysis v2 should be used and therefore + # the --v2 flag can be omitted when running sl check-analysis +build_rules: +- id: Allow no critical findings + finding_types: + - vuln + severities: + - critical + threshold: 0 + options: + num_findings: 10 # Return 10 sast findings +- id: Allow one OSS or container finding + finding_types: + - oss_vuln + - container + threshold: 1 +- id: Allow no reachable OSS vulnerability + finding_types: + - oss_vuln + - container + options: + reachable: true diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java index 40e1c491..b13ba0d0 100644 --- a/src/main/java/io/shiftleft/controller/CustomerController.java +++ b/src/main/java/io/shiftleft/controller/CustomerController.java @@ -1,222 +1,6 @@ package io.shiftleft.controller; -import io.shiftleft.model.Account; -import io.shiftleft.model.Address; -import java.io.BufferedReader; -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.IOException; -import java.math.BigInteger; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.Paths; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Arrays; -import java.util.Base64; -import java.util.Date; -import java.util.HashSet; -import java.util.List; - -import java.util.Set; -import javax.annotation.PostConstruct; -import javax.servlet.http.HttpServletResponse; -import org.apache.commons.codec.digest.DigestUtils; -import org.apache.http.HttpHeaders; -import org.apache.http.auth.AuthenticationException; -import org.apache.http.auth.UsernamePasswordCredentials; -import org.apache.http.client.ClientProtocolException; -import org.apache.http.client.methods.CloseableHttpResponse; -import org.apache.http.client.methods.HttpPost; -import org.apache.http.entity.StringEntity; -import org.apache.http.impl.auth.BasicScheme; -import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClients; -import org.joda.time.DateTime; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.PropertySource; -import org.springframework.core.env.Environment; -import org.springframework.core.io.ClassPathResource; -import org.springframework.http.HttpStatus; -import org.springframework.util.FileCopyUtils; -import org.springframework.web.bind.annotation.PathVariable; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RestController; -import org.springframework.web.context.request.WebRequest; - -import com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties; - -import io.shiftleft.data.DataLoader; -import io.shiftleft.exception.CustomerNotFoundException; -import io.shiftleft.exception.InvalidCustomerRequestException; -import io.shiftleft.model.Customer; -import io.shiftleft.repository.CustomerRepository; - -import org.springframework.web.util.HtmlUtils; - -/** - * Customer Controller exposes a series of RESTful endpoints - */ - -@Configuration -@EnableEncryptableProperties -@PropertySource({ "classpath:config/application-sfdc.properties" }) -@RestController -public class CustomerController { - - @Autowired - private CustomerRepository customerRepository; - - @Autowired - Environment env; - - private static Logger log = LoggerFactory.getLogger(CustomerController.class); - - @PostConstruct - public void init() { - log.info("Start Loading SalesForce Properties"); - log.info("Url is {}", env.getProperty("sfdc.url")); - log.info("UserName is {}", env.getProperty("sfdc.username")); - log.info("Password is {}", env.getProperty("sfdc.password")); - log.info("End Loading SalesForce Properties"); - } - - private void dispatchEventToSalesForce(String event) - throws ClientProtocolException, IOException, AuthenticationException { - CloseableHttpClient client = HttpClients.createDefault(); - HttpPost httpPost = new HttpPost(env.getProperty("sfdc.url")); - httpPost.setEntity(new StringEntity(event)); - UsernamePasswordCredentials creds = new UsernamePasswordCredentials(env.getProperty("sfdc.username"), - env.getProperty("sfdc.password")); - httpPost.addHeader(new BasicScheme().authenticate(creds, httpPost, null)); - - CloseableHttpResponse response = client.execute(httpPost); - log.info("Response from SFDC is {}", response.getStatusLine().getStatusCode()); - client.close(); - } - - /** - * Get customer using id. Returns HTTP 404 if customer not found - * - * @param customerId - * @return retrieved customer - */ - @RequestMapping(value = "/customers/{customerId}", method = RequestMethod.GET) - public Customer getCustomer(@PathVariable("customerId") Long customerId) { - - /* validate customer Id parameter */ - if (null == customerId) { - throw new InvalidCustomerRequestException(); - } - - Customer customer = customerRepository.findOne(customerId); - if (null == customer) { - throw new CustomerNotFoundException(); - } - - Account account = new Account(4242l,1234, "savings", 1, 0); - log.info("Account Data is {}", account); - log.info("Customer Data is {}", customer); - - try { - dispatchEventToSalesForce(String.format(" Customer %s Logged into SalesForce", customer)); - } catch (Exception e) { - log.error("Failed to Dispatch Event to SalesForce . Details {} ", e.getLocalizedMessage()); - - } - - return customer; - } - - /** - * Handler for / loads the index.tpl - * @param httpResponse - * @param request - * @return - * @throws IOException - */ - @RequestMapping(value = "/", method = RequestMethod.GET) - public String index(HttpServletResponse httpResponse, WebRequest request) throws IOException { - ClassPathResource cpr = new ClassPathResource("static/index.html"); - String ret = ""; - try { - byte[] bdata = FileCopyUtils.copyToByteArray(cpr.getInputStream()); - ret= new String(bdata, StandardCharsets.UTF_8); - } catch (IOException e) { - //LOG.warn("IOException", e); - } - return ret; - } - - /** - * Check if settings= is present in cookie - * @param request - * @return - */ - private boolean checkCookie(WebRequest request) throws Exception { - try { - return request.getHeader("Cookie").startsWith("settings="); - } - catch (Exception ex) - { - System.out.println(ex.getMessage()); - } - return false; - } - - /** - * restores the preferences on the filesystem - * - * @param httpResponse - * @param request - * @throws Exception - */ - @RequestMapping(value = "/loadSettings", method = RequestMethod.GET) - public void loadSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception { - // get cookie values - if (!checkCookie(request)) { - httpResponse.getOutputStream().println("Error"); - throw new Exception("cookie is incorrect"); - } - String md5sum = request.getHeader("Cookie").substring("settings=".length(), 41); - ClassPathResource cpr = new ClassPathResource("static"); - File folder = new File(cpr.getPath()); - File[] listOfFiles = folder.listFiles(); - String filecontent = new String(); - for (File f : listOfFiles) { - // not efficient, i know - filecontent = new String(); - byte[] encoded = Files.readAllBytes(f.toPath()); - filecontent = new String(encoded, StandardCharsets.UTF_8); - if (filecontent.contains(md5sum)) { - // this will send me to the developer hell (if exists) - - // encode the file settings, md5sum is removed - String s = new String(Base64.getEncoder().encode(filecontent.replace(md5sum, "").getBytes())); - // setting the new cookie - httpResponse.setHeader("Cookie", "settings=" + s + "," + md5sum); - return; - } - } - } - - - /** - * Saves the preferences (screen resolution, language..) on the filesystem - * - * @param httpResponse - * @param request - * @throws Exception - */ - @RequestMapping(value = "/saveSettings", method = RequestMethod.GET) +@RequestMapping(value = "/saveSettings", method = RequestMethod.GET) public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception { // "Settings" will be stored in a cookie // schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...)) @@ -228,8 +12,8 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t String settingsCookie = request.getHeader("Cookie"); String[] cookie = settingsCookie.split(","); - if(cookie.length<2) { - httpResponse.getOutputStream().println("Malformed cookie"); +if(cookie.length<2) { + httpResponse.getOutputStream().println("Malformed cookie"); throw new Exception("cookie is incorrect"); } @@ -238,7 +22,7 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t // Check md5sum String cookieMD5sum = cookie[1]; String calcMD5Sum = DigestUtils.md5Hex(base64txt); - if(!cookieMD5sum.equals(calcMD5Sum)) +if(!cookieMD5sum.equals(calcMD5Sum)) { httpResponse.getOutputStream().println("Wrong md5"); throw new Exception("Invalid MD5"); @@ -246,9 +30,17 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t // Now we can store on filesystem String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(","); - // storage will have ClassPathResource as basepath +// storage will have ClassPathResource as basepath ClassPathResource cpr = new ClassPathResource("./static/"); - File file = new File(cpr.getPath()+settings[0]); + + // Whitelist the filename to prevent directory traversal + String filename = settings[0]; + if(!filename.matches("[a-zA-Z0-9._-]+")) { + httpResponse.getOutputStream().println("Invalid filename"); + throw new Exception("Filename contains invalid characters"); + } + + File file = new File(cpr.getPath()+filename); if(!file.exists()) { file.getParentFile().mkdirs(); } @@ -262,129 +54,3 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t fos.close(); httpResponse.getOutputStream().println("Settings Saved"); } - - /** - * Debug test for saving and reading a customer - * - * @param firstName String - * @param lastName String - * @param dateOfBirth String - * @param ssn String - * @param tin String - * @param phoneNumber String - * @param httpResponse - * @param request - * @return String - * @throws IOException - */ - @RequestMapping(value = "/debug", method = RequestMethod.GET) - public String debug(@RequestParam String customerId, - @RequestParam int clientId, - @RequestParam String firstName, - @RequestParam String lastName, - @RequestParam String dateOfBirth, - @RequestParam String ssn, - @RequestParam String socialSecurityNum, - @RequestParam String tin, - @RequestParam String phoneNumber, - HttpServletResponse httpResponse, - WebRequest request) throws IOException{ - - // empty for now, because we debug - Set accounts1 = new HashSet(); - //dateofbirth example -> "1982-01-10" - Customer customer1 = new Customer(customerId, clientId, firstName, lastName, DateTime.parse(dateOfBirth).toDate(), - ssn, socialSecurityNum, tin, phoneNumber, new Address("Debug str", - "", "Debug city", "CA", "12345"), - accounts1); - - customerRepository.save(customer1); - httpResponse.setStatus(HttpStatus.CREATED.value()); - httpResponse.setHeader("Location", String.format("%s/customers/%s", - request.getContextPath(), customer1.getId())); - - return customer1.toString().toLowerCase().replace("script",""); - } - - /** - * Debug test for saving and reading a customer - * - * @param firstName String - * @param httpResponse - * @param request - * @return void - * @throws IOException - */ - @RequestMapping(value = "/debugEscaped", method = RequestMethod.GET) - public void debugEscaped(@RequestParam String firstName, HttpServletResponse httpResponse, - WebRequest request) throws IOException{ - String escaped = HtmlUtils.htmlEscape(firstName); - System.out.println(escaped); - httpResponse.getOutputStream().println(escaped); - } - /** - * Gets all customers. - * - * @return the customers - */ - @RequestMapping(value = "/customers", method = RequestMethod.GET) - public List getCustomers() { - return (List) customerRepository.findAll(); - } - - /** - * Create a new customer and return in response with HTTP 201 - * - * @param the - * customer - * @return created customer - */ - @RequestMapping(value = { "/customers" }, method = { RequestMethod.POST }) - public Customer createCustomer(@RequestParam Customer customer, HttpServletResponse httpResponse, - WebRequest request) { - - Customer createdcustomer = null; - createdcustomer = customerRepository.save(customer); - httpResponse.setStatus(HttpStatus.CREATED.value()); - httpResponse.setHeader("Location", - String.format("%s/customers/%s", request.getContextPath(), customer.getId())); - - return createdcustomer; - } - - /** - * Update customer with given customer id. - * - * @param customer - * the customer - */ - @RequestMapping(value = { "/customers/{customerId}" }, method = { RequestMethod.PUT }) - public void updateCustomer(@RequestBody Customer customer, @PathVariable("customerId") Long customerId, - HttpServletResponse httpResponse) { - - if (!customerRepository.exists(customerId)) { - httpResponse.setStatus(HttpStatus.NOT_FOUND.value()); - } else { - customerRepository.save(customer); - httpResponse.setStatus(HttpStatus.NO_CONTENT.value()); - } - } - - /** - * Deletes the customer with given customer id if it exists and returns - * HTTP204. - * - * @param customerId - * the customer id - */ - @RequestMapping(value = "/customers/{customerId}", method = RequestMethod.DELETE) - public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServletResponse httpResponse) { - - if (customerRepository.exists(customerId)) { - customerRepository.delete(customerId); - } - - httpResponse.setStatus(HttpStatus.NO_CONTENT.value()); - } - -}