From 890ef8cdd2838eadc4f724decb166ad797b06138 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Thu, 31 Oct 2024 13:36:56 +0530 Subject: [PATCH] Adding Reversing Labs Scanner (#464) * Adding Reversing Labs Scanner * Changing the PHP Version to 8.2 * Adding Laravel Specific Build Files * New Changes To RL-Workflow * Added the need flag for release job * Testing Changes and get-version file changes * Reverting Testing Changes * Fixing PHP Stan and Rector Test Failures --- .github/actions/get-version/action.yml | 4 +- .github/actions/rl-scanner/action.yml | 71 +++++++++++++++++++ .github/workflows/release.yml | 17 +++++ .github/workflows/rl-scanner.yml | 68 ++++++++++++++++++ phpstan.neon.dist | 1 + rector.php | 16 ++--- .../CallbackControllerAbstract.php | 1 + src/Controllers/LoginControllerAbstract.php | 2 + src/Controllers/LogoutControllerAbstract.php | 2 + src/Guards/GuardAbstract.php | 1 + src/UserProviderAbstract.php | 1 + 11 files changed, 173 insertions(+), 11 deletions(-) create mode 100644 .github/actions/rl-scanner/action.yml create mode 100644 .github/workflows/rl-scanner.yml diff --git a/.github/actions/get-version/action.yml b/.github/actions/get-version/action.yml index 387fdba..4dafb52 100644 --- a/.github/actions/get-version/action.yml +++ b/.github/actions/get-version/action.yml @@ -17,7 +17,5 @@ runs: - id: get_version shell: bash run: | - VERSION=$(echo ${BRANCH_NAME} | sed -r 's#release/+##g') + VERSION=$(head -1 .version) echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - env: - BRANCH_NAME: ${{ github.event.pull_request.head.ref }} diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 0000000..b3df2d9 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,71 @@ +name: 'Reversing Labs Scanner' +description: 'Runs the Reversing Labs scanner on a specified artifact.' +inputs: + artifact-path: + description: 'Path to the artifact to be scanned.' + required: true + version: + description: 'Version of the artifact.' + required: true + +runs: + using: 'composite' + steps: + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --name "${{ github.event.repository.name }}" \ + --version "${{ inputs.version }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: 'The outcome of the scan process.' + value: ${{ env.scan-status }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7aa14e5..a6e3461 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,15 +5,32 @@ on: types: - closed + + permissions: contents: write + id-token: write # This is required for requesting the JWT ### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public. ### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public. jobs: + rl-scanner: + uses: ./.github/workflows/rl-scanner.yml + with: + php-version: 8.2 + artifact-name: 'laravel-auth0.zip' + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + release: if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/') + needs: rl-scanner runs-on: ubuntu-latest steps: diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml new file mode 100644 index 0000000..0a27d20 --- /dev/null +++ b/.github/workflows/rl-scanner.yml @@ -0,0 +1,68 @@ +name: RL-Secure Workflow + +on: + workflow_call: + inputs: + php-version: + required: true + type: string + artifact-name: + required: true + type: string + secrets: + RLSECURE_LICENSE: + required: true + RLSECURE_SITE_KEY: + required: true + SIGNAL_HANDLER_TOKEN: + required: true + PRODSEC_TOOLS_USER: + required: true + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: + required: true + +jobs: + rl-scanner: + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) + runs-on: ubuntu-latest + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha || github.ref }} + + - name: Setup PHP + uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 + with: + php-version: ${{ inputs.php-version }} + + - name: Build Laravel + shell: bash + run: | + zip -r ${{ inputs.artifact-name }} ./* + + - name: Get Artifact Version + id: get_version + uses: ./.github/actions/get-version + + - name: Run RL Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner + with: + artifact-path: "$(pwd)/${{ inputs.artifact-name }}" + version: "${{ steps.get_version.outputs.version }}" + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file diff --git a/phpstan.neon.dist b/phpstan.neon.dist index 4b604cc..c332cb1 100644 --- a/phpstan.neon.dist +++ b/phpstan.neon.dist @@ -13,6 +13,7 @@ parameters: - '#Constructor of class (.*) has an unused parameter (.*).#' - '#Method (.*) has parameter (.*) with no value type specified in iterable type array.#' - '#no value type specified in iterable type array.#' + - '#Dynamic call to static method (.*).#' reportUnmatchedIgnoredErrors: false treatPhpDocTypesAsCertain: false diff --git a/rector.php b/rector.php index 0ce4154..a0fee44 100644 --- a/rector.php +++ b/rector.php @@ -339,8 +339,8 @@ // ArrayShapeFromConstantArrayReturnRector::class, // BinarySwitchToIfElseRector::class, BooleanNotIdenticalToNotIdenticalRector::class, - BoolvalToTypeCastRector::class, - CallableThisArrayToAnonymousFunctionRector::class, + //BoolvalToTypeCastRector::class, + //CallableThisArrayToAnonymousFunctionRector::class, CallUserFuncArrayToVariadicRector::class, CallUserFuncToMethodCallRector::class, CallUserFuncWithArrowFunctionToInlineRector::class, @@ -373,19 +373,19 @@ // FinalizeClassesWithoutChildrenRector::class, FinalPrivateToPrivateVisibilityRector::class, FlipTypeControlToUseExclusiveTypeRector::class, - FloatvalToTypeCastRector::class, + //FloatvalToTypeCastRector::class, ForeachItemsAssignToEmptyArrayToAssignRector::class, ForeachToInArrayRector::class, ForRepeatedCountToOwnVariableRector::class, // ForToForeachRector::class, FuncGetArgsToVariadicParamRector::class, - GetClassToInstanceOfRector::class, + //GetClassToInstanceOfRector::class, GetDebugTypeRector::class, InlineArrayReturnAssignRector::class, InlineConstructorDefaultToPropertyRector::class, InlineIfToExplicitIfRector::class, InlineIsAInstanceOfRector::class, - IntvalToTypeCastRector::class, + //IntvalToTypeCastRector::class, IsAWithStringWithThirdArgumentRector::class, IssetOnPropertyObjectToPropertyExistsRector::class, JoinStringConcatRector::class, @@ -459,7 +459,7 @@ ReturnNeverTypeRector::class, ReturnTypeFromReturnDirectArrayRector::class, ReturnTypeFromReturnNewRector::class, - ReturnTypeFromStrictBoolReturnExprRector::class, + //ReturnTypeFromStrictBoolReturnExprRector::class, ReturnTypeFromStrictConstantReturnRector::class, ReturnTypeFromStrictNativeCallRector::class, ReturnTypeFromStrictNewArrayRector::class, @@ -507,7 +507,7 @@ StringableForToStringRector::class, StrlenZeroToIdenticalEmptyStringRector::class, StrStartsWithRector::class, - StrvalToTypeCastRector::class, + //StrvalToTypeCastRector::class, SwitchNegatedTernaryRector::class, SymplifyQuoteEscapeRector::class, TernaryConditionVariableAssignmentRector::class, @@ -527,7 +527,7 @@ UnwrapSprintfOneArgumentRector::class, UseClassKeywordForClassNameResolutionRector::class, UseIdenticalOverEqualWithSameTypeRector::class, - UseIncrementAssignRector::class, + //UseIncrementAssignRector::class, // VarAnnotationIncorrectNullableRector::class, // VarConstantCommentRector::class, VarToPublicPropertyRector::class, diff --git a/src/Controllers/CallbackControllerAbstract.php b/src/Controllers/CallbackControllerAbstract.php index bd9a461..82a4340 100644 --- a/src/Controllers/CallbackControllerAbstract.php +++ b/src/Controllers/CallbackControllerAbstract.php @@ -18,6 +18,7 @@ use Throwable; use function is_string; +use function sprintf; /** * @api diff --git a/src/Controllers/LoginControllerAbstract.php b/src/Controllers/LoginControllerAbstract.php index 7c558d2..83343e2 100644 --- a/src/Controllers/LoginControllerAbstract.php +++ b/src/Controllers/LoginControllerAbstract.php @@ -13,6 +13,8 @@ use Illuminate\Http\Request; use Symfony\Component\HttpFoundation\Response; +use function sprintf; + /** * Controller for handling a login request. * diff --git a/src/Controllers/LogoutControllerAbstract.php b/src/Controllers/LogoutControllerAbstract.php index c5d81f6..62cf1b3 100644 --- a/src/Controllers/LogoutControllerAbstract.php +++ b/src/Controllers/LogoutControllerAbstract.php @@ -12,6 +12,8 @@ use Illuminate\Http\Request; use Symfony\Component\HttpFoundation\Response; +use function sprintf; + /** * Controller for handling a logout request. * diff --git a/src/Guards/GuardAbstract.php b/src/Guards/GuardAbstract.php index f5cf935..175c149 100644 --- a/src/Guards/GuardAbstract.php +++ b/src/Guards/GuardAbstract.php @@ -22,6 +22,7 @@ use function is_array; use function is_int; use function is_string; +use function sprintf; /** * @internal diff --git a/src/UserProviderAbstract.php b/src/UserProviderAbstract.php index 6b3b0db..2d6f223 100644 --- a/src/UserProviderAbstract.php +++ b/src/UserProviderAbstract.php @@ -10,6 +10,7 @@ use Illuminate\Support\Facades\Cache; use function is_string; +use function sprintf; /** * User provider for the Auth0 user repository.