From ca987d60167a64353715e516e87bb47fa0e32ef6 Mon Sep 17 00:00:00 2001 From: d-co-white <98342720+d-co-white@users.noreply.github.com> Date: Fri, 17 May 2024 17:54:15 -0600 Subject: [PATCH 01/35] Create codeql.yml --- .github/workflows/codeql.yml | 93 ++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..b36bd538 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,93 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '39 10 * * 2' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: java-kotlin + build-mode: autobuild + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From b63b11a6ed718af0856e7a31706aa3020f1fe258 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 17:46:14 -0600 Subject: [PATCH 02/35] Removed old workflows added in codql --- .github/workflows/build.yaml | 14 ------- .github/workflows/codeql-analysis.yml | 59 +++++++++++++++++++++++++++ .github/workflows/hawkscan.yml | 32 --------------- .github/workflows/release.yaml | 19 --------- 4 files changed, 59 insertions(+), 65 deletions(-) delete mode 100644 .github/workflows/build.yaml create mode 100644 .github/workflows/codeql-analysis.yml delete mode 100644 .github/workflows/hawkscan.yml delete mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index 02ba22c6..00000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,14 +0,0 @@ -name: Build -on: - pull_request: - branches: - - main - -jobs: - - build: - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Gradle build - run: ./gradlew :build diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..a3470c0c --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,59 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 \ No newline at end of file diff --git a/.github/workflows/hawkscan.yml b/.github/workflows/hawkscan.yml deleted file mode 100644 index b0af59a4..00000000 --- a/.github/workflows/hawkscan.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: HawkScan -on: - repository_dispatch: - types: [integration-initial-test] -jobs: - hawkscan: - name: HawkScan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Create ${{ github.event.client_payload.repoName }} app directory - run: mkdir -p common/build/integrationTests/hawkscan-action/apps/${{ github.event.client_payload.repoName }} - - name: Navigate to ${{ github.event.client_payload.repoName }} app directory - run: cd common/build/integrationTests/hawkscan-action/apps/${{ github.event.client_payload.repoName }} - - name: Checkout vulny repo - run: git clone https://github.com/${{ github.event.client_payload.repoOrg }}/${{ github.event.client_payload.repoName }}.git - - name: Run ${{ github.event.client_payload.repoName }} - run: docker-compose up -d - - name: Navigate to repo root directory - run: cd /home/runner/work/${{ github.event.client_payload.repoName }}/${{ github.event.client_payload.repoName }} - - name: Run HawkScan - id: run-hawkscan - uses: stackhawk/hawkscan-action@main - with: - apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: ${{ github.event.client_payload.configFile }} - sourceURL: ${{ github.event.client_payload.hawkscanSourceUrl }} - version: ${{ github.event.client_payload.hawkscanVersion }} - verbose: ${{ github.event.client_payload.verbose }} - env: - # APPLICATION_ID: ${{ github.event.client_payload.appId }} - APP_ID: ${{ github.event.client_payload.appId }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index 48e6abdd..00000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: Release Tag -on: - push: - tags: - - '*' - -jobs: - release: - if: startsWith(github.ref, 'refs/tags/') - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Gradle assemble - run: './gradlew :assemble' - - uses: softprops/action-gh-release@v1 - name: release files - with: - files: | - build/libs/java-spring-vuly-0.2.0.jar From 4b177050fd4580bd93391139562b3fabada4eef6 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 18:12:56 -0600 Subject: [PATCH 03/35] Added in hawkscan action --- .github/workflows/codeql-analysis.yml | 59 --------------------------- .github/workflows/hawkscan-scan.yml | 21 ++++++++++ 2 files changed, 21 insertions(+), 59 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/hawkscan-scan.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index a3470c0c..00000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'java' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 \ No newline at end of file diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml new file mode 100644 index 00000000..6a67626f --- /dev/null +++ b/.github/workflows/hawkscan-scan.yml @@ -0,0 +1,21 @@ +name: "action-tests" +on: + pull_request: + +jobs: + javaspringvulny-test: + name: Java Spring Vulny Test + runs-on: ubuntu-latest + steps: + - name: Checkout javaspringvulny repository + uses: actions/checkout@v3 + - name: Run javaspringvulny + run: docker-compose up -d + - name: Run Hawkscan + uses: stackhawk/hawkscan-action@v2.1.3 + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + configurationFiles: stackhawk-jsv-json-token.yml + env: + APPLICATION_ID: ${{ env.APPLICATION_ID }} + ENV: action-scan \ No newline at end of file From c576c288553d16764eaa5b3b8973d5c789f99e83 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 18:19:34 -0600 Subject: [PATCH 04/35] Fixing hawkscan --- .github/workflows/hawkscan-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 6a67626f..e499796e 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -15,7 +15,7 @@ jobs: uses: stackhawk/hawkscan-action@v2.1.3 with: apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk-jsv-json-token.yml + configurationFiles: stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml env: - APPLICATION_ID: ${{ env.APPLICATION_ID }} + APP_ID: ${{ env.APPLICATION_ID }} ENV: action-scan \ No newline at end of file From 10b016e58434d9e3ed22c82b5c9ae1a1d628dc2e Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 18:25:18 -0600 Subject: [PATCH 05/35] More things --- .github/workflows/hawkscan-scan.yml | 2 +- stackhawk.d/stackhawk-jsv-json-token.yml | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index e499796e..6d812407 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -15,7 +15,7 @@ jobs: uses: stackhawk/hawkscan-action@v2.1.3 with: apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml + configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml env: APP_ID: ${{ env.APPLICATION_ID }} ENV: action-scan \ No newline at end of file diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index de2576d0..6dd150f6 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -2,11 +2,6 @@ hawk: spider: maxDurationMinutes: 2 app: - env: ${APP_ENV:dev} - openApiConf: - path: /openapi.yml - env: dev - host: ${APP_HOST:https://localhost:9000} authentication: loggedInIndicator: "\\QSign Out\\E" loggedOutIndicator: ".*Location:.*/login.*" From 3172da1f41c20e18712358ce292e95c9eabfaaad Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 18:35:26 -0600 Subject: [PATCH 06/35] hardcoding app id --- .github/workflows/hawkscan-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 6d812407..ff7c9f47 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -17,5 +17,5 @@ jobs: apiKey: ${{ secrets.HAWK_API_KEY }} configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml env: - APP_ID: ${{ env.APPLICATION_ID }} + APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 ENV: action-scan \ No newline at end of file From a63d502c5a5e461bb7fe04a491e8201e12f6ab17 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 18:47:06 -0600 Subject: [PATCH 07/35] Moar integrations --- .github/workflows/hawkscan-scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index ff7c9f47..57b076f9 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -18,4 +18,5 @@ jobs: configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml env: APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 - ENV: action-scan \ No newline at end of file + ENV: action-scan + SARIF_ARTIFACT: true \ No newline at end of file From d38a4d9896a39d3ec1618eedbd3255ac5d4a3bd1 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 19:31:14 -0600 Subject: [PATCH 08/35] open api --- stackhawk.d/stackhawk-jsv-json-token.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index 6dd150f6..4cae6cfe 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -2,6 +2,8 @@ hawk: spider: maxDurationMinutes: 2 app: + openApiConf: + path: /openapi.yml authentication: loggedInIndicator: "\\QSign Out\\E" loggedOutIndicator: ".*Location:.*/login.*" From 22386f636c18ee15ae99e67e4ea93ce64a0fe75d Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 19:34:49 -0600 Subject: [PATCH 09/35] github --- .github/workflows/hawkscan-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 57b076f9..4ff275c3 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -16,6 +16,7 @@ jobs: with: apiKey: ${{ secrets.HAWK_API_KEY }} configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml + sarif_file: stackhawk.sarif env: APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 ENV: action-scan From 1366b35dbd94656ba6ead849bcd511d4f126cfe4 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 19:38:04 -0600 Subject: [PATCH 10/35] SHA and branch --- .github/workflows/hawkscan-scan.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 4ff275c3..eedd7a36 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -20,4 +20,6 @@ jobs: env: APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 ENV: action-scan - SARIF_ARTIFACT: true \ No newline at end of file + SARIF_ARTIFACT: true + COMMIT_SHA: ${{ github.event.pull_request.head.sha }} + BRANCH_NAME: ${{ github.head_ref }} \ No newline at end of file From 1f0f742635ca9a217050397ca713080e4ec35846 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 19:40:48 -0600 Subject: [PATCH 11/35] Correct openapi path --- stackhawk.d/stackhawk-jsv-json-token.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index 4cae6cfe..0a7a0e76 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -3,7 +3,7 @@ hawk: maxDurationMinutes: 2 app: openApiConf: - path: /openapi.yml + path: /openapi authentication: loggedInIndicator: "\\QSign Out\\E" loggedOutIndicator: ".*Location:.*/login.*" From f11ad6a449f78ea498e0ad07ef5905061c7097e4 Mon Sep 17 00:00:00 2001 From: Dana White Date: Fri, 17 May 2024 19:50:10 -0600 Subject: [PATCH 12/35] TAGS --- .github/workflows/hawkscan-scan.yml | 2 +- stackhawk.d/github-tags.yml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 stackhawk.d/github-tags.yml diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index eedd7a36..53045e4d 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -15,7 +15,7 @@ jobs: uses: stackhawk/hawkscan-action@v2.1.3 with: apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml + configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml sarif_file: stackhawk.sarif env: APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 diff --git a/stackhawk.d/github-tags.yml b/stackhawk.d/github-tags.yml new file mode 100644 index 00000000..3e0d223a --- /dev/null +++ b/stackhawk.d/github-tags.yml @@ -0,0 +1,5 @@ +tags: + - name: _STACKHAWK_GIT_COMMIT_SHA + value: ${COMMIT_SHA:} + - name: _STACKHAWK_GIT_BRANCH + value: ${BRANCH_NAME:} \ No newline at end of file From 360b12982819f0b0e5b9ea65e1a76a68e9f4cf58 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 10:59:44 -0600 Subject: [PATCH 13/35] Added in upload sarif task --- .github/workflows/hawkscan-scan.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 53045e4d..036a3723 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -22,4 +22,12 @@ jobs: ENV: action-scan SARIF_ARTIFACT: true COMMIT_SHA: ${{ github.event.pull_request.head.sha }} - BRANCH_NAME: ${{ github.head_ref }} \ No newline at end of file + BRANCH_NAME: ${{ github.head_ref }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: stackhawk-scan-results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: StackHawk \ No newline at end of file From 2158f582b19f8108db06d17967fa17fa78a6b72f Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 11:24:30 -0600 Subject: [PATCH 14/35] Fixing workflow file --- .github/workflows/hawkscan-scan.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 036a3723..8bb61c14 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -15,8 +15,7 @@ jobs: uses: stackhawk/hawkscan-action@v2.1.3 with: apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml - sarif_file: stackhawk.sarif + configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml --debug --verbose env: APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 ENV: action-scan @@ -27,7 +26,7 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: stackhawk-scan-results.sarif + sarif_file: ${{ github.workspace }}/stackhawk-scan-results.sarif # Optional category for the results # Used to differentiate multiple results for one commit category: StackHawk \ No newline at end of file From 73a08a09052f5799113982d725f8758c381537b1 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 11:32:56 -0600 Subject: [PATCH 15/35] Updated authentication --- .github/workflows/hawkscan-scan.yml | 2 +- stackhawk.d/stackhawk-jsv-json-token.yml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 8bb61c14..dd534103 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -26,7 +26,7 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: ${{ github.workspace }}/stackhawk-scan-results.sarif + sarif_file: stackhawk.sarif # Optional category for the results # Used to differentiate multiple results for one commit category: StackHawk \ No newline at end of file diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index 0a7a0e76..64b5aec6 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -5,8 +5,6 @@ app: openApiConf: path: /openapi authentication: - loggedInIndicator: "\\QSign Out\\E" - loggedOutIndicator: ".*Location:.*/login.*" usernamePassword: type: JSON loginPath: /api/jwt/auth/signin @@ -18,6 +16,7 @@ app: type: HEADER value: Authorization tokenType: Bearer + isJWT: true tokenExtraction: type: TOKEN_PATH value: "token" From 9a644cd96bd5b65ef14d21bd4c9cb262851821f6 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 11:38:41 -0600 Subject: [PATCH 16/35] turn base spider off --- stackhawk.d/stackhawk-jsv-json-token.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index 64b5aec6..2da305af 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -1,6 +1,7 @@ hawk: spider: maxDurationMinutes: 2 + base: false app: openApiConf: path: /openapi From 2c7c9e9b791772df6dc3bb48ee9e230a7ec79c91 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 12:50:05 -0600 Subject: [PATCH 17/35] updating actions removing debug --- .github/workflows/hawkscan-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index dd534103..c052f046 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -8,14 +8,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout javaspringvulny repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run javaspringvulny run: docker-compose up -d - name: Run Hawkscan uses: stackhawk/hawkscan-action@v2.1.3 with: apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml --debug --verbose + configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml env: APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 ENV: action-scan @@ -23,7 +23,7 @@ jobs: COMMIT_SHA: ${{ github.event.pull_request.head.sha }} BRANCH_NAME: ${{ github.head_ref }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: stackhawk.sarif From a559ef24b3096b87274eafca4245c56e36c00e44 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:20:10 -0600 Subject: [PATCH 18/35] Some sarif fixes --- .github/workflows/hawkscan-scan.yml | 22 ++-- stackhawk.sarif | 173 ++++++++++++++++++++++++++++ 2 files changed, 184 insertions(+), 11 deletions(-) create mode 100644 stackhawk.sarif diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index c052f046..30be970f 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -11,17 +11,17 @@ jobs: uses: actions/checkout@v4 - name: Run javaspringvulny run: docker-compose up -d - - name: Run Hawkscan - uses: stackhawk/hawkscan-action@v2.1.3 - with: - apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml - env: - APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 - ENV: action-scan - SARIF_ARTIFACT: true - COMMIT_SHA: ${{ github.event.pull_request.head.sha }} - BRANCH_NAME: ${{ github.head_ref }} +# - name: Run Hawkscan +# uses: stackhawk/hawkscan-action@v2.1.3 +# with: +# apiKey: ${{ secrets.HAWK_API_KEY }} +# configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml +# env: +# APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 +# ENV: action-scan +# SARIF_ARTIFACT: true +# COMMIT_SHA: ${{ github.event.pull_request.head.sha }} +# BRANCH_NAME: ${{ github.head_ref }} - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: diff --git a/stackhawk.sarif b/stackhawk.sarif new file mode 100644 index 00000000..f5321f32 --- /dev/null +++ b/stackhawk.sarif @@ -0,0 +1,173 @@ +{ + "version": "2.1.0", + "$schema": "https://json.schemastore.org/sarif-2.1.0", + "runs": [{ + "tool": { + "driver": { + "version": "3.9.3", + "name": "StackHawk", + "informationUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4", + "properties": { + "scanId": "83e89958-cc21-4bba-b2b4-64b143bce6f4" + }, + "rules": [{ + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }], + "fullName": "HawkScan 3.9.3" + } + }, + "results": [{ + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3" + } + }], + "automationDetails": { + "id": "HawkScan 83e89958-cc21-4bba-b2b4-64b143bce6f4", + "description": { + "text": "This is a Scan 83e89958-cc21-4bba-b2b4-64b143bce6f4 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" + } + } + }] +} \ No newline at end of file From 2cd0a7150fceef75a8affaf02cca30d93391392a Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:20:41 -0600 Subject: [PATCH 19/35] Real quick test --- .github/workflows/hawkscan-scan.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 30be970f..73388ced 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -7,10 +7,10 @@ jobs: name: Java Spring Vulny Test runs-on: ubuntu-latest steps: - - name: Checkout javaspringvulny repository - uses: actions/checkout@v4 - - name: Run javaspringvulny - run: docker-compose up -d +# - name: Checkout javaspringvulny repository +# uses: actions/checkout@v4 +# - name: Run javaspringvulny +# run: docker-compose up -d # - name: Run Hawkscan # uses: stackhawk/hawkscan-action@v2.1.3 # with: From 6ba881a46d0fd01b38e035da913a30409a5af75e Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:23:56 -0600 Subject: [PATCH 20/35] Whatever --- .github/workflows/hawkscan-scan.yml | 30 ++-- stackhawk.d/stackhawk-jsv-json-token.yml | 3 + stackhawk.sarif | 173 ----------------------- 3 files changed, 18 insertions(+), 188 deletions(-) delete mode 100644 stackhawk.sarif diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 73388ced..c052f046 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -7,21 +7,21 @@ jobs: name: Java Spring Vulny Test runs-on: ubuntu-latest steps: -# - name: Checkout javaspringvulny repository -# uses: actions/checkout@v4 -# - name: Run javaspringvulny -# run: docker-compose up -d -# - name: Run Hawkscan -# uses: stackhawk/hawkscan-action@v2.1.3 -# with: -# apiKey: ${{ secrets.HAWK_API_KEY }} -# configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml -# env: -# APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 -# ENV: action-scan -# SARIF_ARTIFACT: true -# COMMIT_SHA: ${{ github.event.pull_request.head.sha }} -# BRANCH_NAME: ${{ github.head_ref }} + - name: Checkout javaspringvulny repository + uses: actions/checkout@v4 + - name: Run javaspringvulny + run: docker-compose up -d + - name: Run Hawkscan + uses: stackhawk/hawkscan-action@v2.1.3 + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml + env: + APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 + ENV: action-scan + SARIF_ARTIFACT: true + COMMIT_SHA: ${{ github.event.pull_request.head.sha }} + BRANCH_NAME: ${{ github.head_ref }} - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index 2da305af..f7ab80e0 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -2,6 +2,9 @@ hawk: spider: maxDurationMinutes: 2 base: false + scan: + includedPlugins: + - 40018 app: openApiConf: path: /openapi diff --git a/stackhawk.sarif b/stackhawk.sarif deleted file mode 100644 index f5321f32..00000000 --- a/stackhawk.sarif +++ /dev/null @@ -1,173 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://json.schemastore.org/sarif-2.1.0", - "runs": [{ - "tool": { - "driver": { - "version": "3.9.3", - "name": "StackHawk", - "informationUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4", - "properties": { - "scanId": "83e89958-cc21-4bba-b2b4-64b143bce6f4" - }, - "rules": [{ - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }], - "fullName": "HawkScan 3.9.3" - } - }, - "results": [{ - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3" - } - }], - "automationDetails": { - "id": "HawkScan 83e89958-cc21-4bba-b2b4-64b143bce6f4", - "description": { - "text": "This is a Scan 83e89958-cc21-4bba-b2b4-64b143bce6f4 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" - } - } - }] -} \ No newline at end of file From 23f45e61c5bcbeb8899ff2813eb0bb6937eda441 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:32:09 -0600 Subject: [PATCH 21/35] committing --- .github/workflows/hawkscan-scan.yml | 30 ++--- stackhawk.sarif | 173 ++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 15 deletions(-) create mode 100644 stackhawk.sarif diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index c052f046..73388ced 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -7,21 +7,21 @@ jobs: name: Java Spring Vulny Test runs-on: ubuntu-latest steps: - - name: Checkout javaspringvulny repository - uses: actions/checkout@v4 - - name: Run javaspringvulny - run: docker-compose up -d - - name: Run Hawkscan - uses: stackhawk/hawkscan-action@v2.1.3 - with: - apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml - env: - APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 - ENV: action-scan - SARIF_ARTIFACT: true - COMMIT_SHA: ${{ github.event.pull_request.head.sha }} - BRANCH_NAME: ${{ github.head_ref }} +# - name: Checkout javaspringvulny repository +# uses: actions/checkout@v4 +# - name: Run javaspringvulny +# run: docker-compose up -d +# - name: Run Hawkscan +# uses: stackhawk/hawkscan-action@v2.1.3 +# with: +# apiKey: ${{ secrets.HAWK_API_KEY }} +# configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml +# env: +# APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 +# ENV: action-scan +# SARIF_ARTIFACT: true +# COMMIT_SHA: ${{ github.event.pull_request.head.sha }} +# BRANCH_NAME: ${{ github.head_ref }} - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: diff --git a/stackhawk.sarif b/stackhawk.sarif new file mode 100644 index 00000000..f5321f32 --- /dev/null +++ b/stackhawk.sarif @@ -0,0 +1,173 @@ +{ + "version": "2.1.0", + "$schema": "https://json.schemastore.org/sarif-2.1.0", + "runs": [{ + "tool": { + "driver": { + "version": "3.9.3", + "name": "StackHawk", + "informationUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4", + "properties": { + "scanId": "83e89958-cc21-4bba-b2b4-64b143bce6f4" + }, + "rules": [{ + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }], + "fullName": "HawkScan 3.9.3" + } + }, + "results": [{ + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3" + } + }], + "automationDetails": { + "id": "HawkScan 83e89958-cc21-4bba-b2b4-64b143bce6f4", + "description": { + "text": "This is a Scan 83e89958-cc21-4bba-b2b4-64b143bce6f4 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" + } + } + }] +} \ No newline at end of file From 40c27d1dfc16d66d11b956954e70728c05e2fe6b Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:35:38 -0600 Subject: [PATCH 22/35] I don't know where files go --- .github/workflows/hawkscan-scan.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 73388ced..18571cb6 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -26,7 +26,23 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository - sarif_file: stackhawk.sarif + sarif_file: ./stackhawk.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: StackHawk + - name: Upload 2 wheraver + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: /integration_tests/stackhawk.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: StackHawk + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/stackhawk.sarif # Optional category for the results # Used to differentiate multiple results for one commit category: StackHawk \ No newline at end of file From 31ac7669c5e3a0e71011de37d3aba6588b846c57 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:44:08 -0600 Subject: [PATCH 23/35] ARGH --- .github/workflows/hawkscan-scan.yml | 18 +-- integration_tests/example.sarif | 173 ++++++++++++++++++++++++++++ 2 files changed, 175 insertions(+), 16 deletions(-) create mode 100644 integration_tests/example.sarif diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 18571cb6..b67f5d28 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -22,6 +22,8 @@ jobs: # SARIF_ARTIFACT: true # COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # BRANCH_NAME: ${{ github.head_ref }} + - name: Generate sarif example + run: cp integration_tests/example.sarif stackhawk-scan-results.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: @@ -29,20 +31,4 @@ jobs: sarif_file: ./stackhawk.sarif # Optional category for the results # Used to differentiate multiple results for one commit - category: StackHawk - - name: Upload 2 wheraver - uses: github/codeql-action/upload-sarif@v3 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: /integration_tests/stackhawk.sarif - # Optional category for the results - # Used to differentiate multiple results for one commit - category: StackHawk - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: ${{ github.workspace }}/stackhawk.sarif - # Optional category for the results - # Used to differentiate multiple results for one commit category: StackHawk \ No newline at end of file diff --git a/integration_tests/example.sarif b/integration_tests/example.sarif new file mode 100644 index 00000000..f5321f32 --- /dev/null +++ b/integration_tests/example.sarif @@ -0,0 +1,173 @@ +{ + "version": "2.1.0", + "$schema": "https://json.schemastore.org/sarif-2.1.0", + "runs": [{ + "tool": { + "driver": { + "version": "3.9.3", + "name": "StackHawk", + "informationUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4", + "properties": { + "scanId": "83e89958-cc21-4bba-b2b4-64b143bce6f4" + }, + "rules": [{ + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", + "name": "SQLInjectionPostgreSQL", + "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }], + "fullName": "HawkScan 3.9.3" + } + }, + "results": [{ + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2" + } + }, { + "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3" + } + }], + "automationDetails": { + "id": "HawkScan 83e89958-cc21-4bba-b2b4-64b143bce6f4", + "description": { + "text": "This is a Scan 83e89958-cc21-4bba-b2b4-64b143bce6f4 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" + } + } + }] +} \ No newline at end of file From 610af8453623afac47e9ae4090d41db9415e727f Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:49:00 -0600 Subject: [PATCH 24/35] Moar argh --- .github/workflows/hawkscan-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index b67f5d28..daa1e3f2 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -7,8 +7,8 @@ jobs: name: Java Spring Vulny Test runs-on: ubuntu-latest steps: -# - name: Checkout javaspringvulny repository -# uses: actions/checkout@v4 + - name: Checkout javaspringvulny repository + uses: actions/checkout@v4 # - name: Run javaspringvulny # run: docker-compose up -d # - name: Run Hawkscan From 9a8680c7fac28d183aececd444cd963324dabe0e Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:53:30 -0600 Subject: [PATCH 25/35] More testing --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/hawkscan-scan.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b36bd538..7573719e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,8 +14,8 @@ name: "CodeQL" on: push: branches: [ "main" ] - pull_request: - branches: [ "main" ] +# pull_request: +# branches: [ "main" ] schedule: - cron: '39 10 * * 2' diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index daa1e3f2..ca1e571c 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -1,6 +1,8 @@ name: "action-tests" on: pull_request: + branches: + - main jobs: javaspringvulny-test: From f736f8e7dc54446b532941647138f00c4bb7b1e6 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 13:57:30 -0600 Subject: [PATCH 26/35] ARGH --- .github/workflows/hawkscan-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index ca1e571c..028269ba 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -3,6 +3,9 @@ on: pull_request: branches: - main + push: + branches: + - feature/codql jobs: javaspringvulny-test: From ca9c08516cb97a699c3a974925bc802cff0f5822 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 14:17:06 -0600 Subject: [PATCH 27/35] I dont even --- .github/workflows/hawkscan-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 028269ba..2f82ef59 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -33,7 +33,7 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository - sarif_file: ./stackhawk.sarif + sarif_file: stackhawk-scan-results.sarif # Optional category for the results # Used to differentiate multiple results for one commit category: StackHawk \ No newline at end of file From d6f05cb7cc93fc66162c3b6efb6cc3696a505859 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 14:25:53 -0600 Subject: [PATCH 28/35] Cleanup --- .github/workflows/hawkscan-scan.yml | 30 +++-- integration_tests/example.sarif | 173 ---------------------------- stackhawk.sarif | 173 ---------------------------- 3 files changed, 14 insertions(+), 362 deletions(-) delete mode 100644 integration_tests/example.sarif delete mode 100644 stackhawk.sarif diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 2f82ef59..c0a54287 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -14,26 +14,24 @@ jobs: steps: - name: Checkout javaspringvulny repository uses: actions/checkout@v4 -# - name: Run javaspringvulny -# run: docker-compose up -d -# - name: Run Hawkscan -# uses: stackhawk/hawkscan-action@v2.1.3 -# with: -# apiKey: ${{ secrets.HAWK_API_KEY }} -# configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml -# env: -# APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 -# ENV: action-scan -# SARIF_ARTIFACT: true -# COMMIT_SHA: ${{ github.event.pull_request.head.sha }} -# BRANCH_NAME: ${{ github.head_ref }} - - name: Generate sarif example - run: cp integration_tests/example.sarif stackhawk-scan-results.sarif + - name: Run javaspringvulny + run: docker-compose up -d + - name: Run Hawkscan + uses: stackhawk/hawkscan-action@v2.1.3 + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml stackhawk.d/github-tags.yml + env: + APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 + ENV: action-scan + SARIF_ARTIFACT: true + COMMIT_SHA: ${{ github.event.pull_request.head.sha }} + BRANCH_NAME: ${{ github.head_ref }} - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository - sarif_file: stackhawk-scan-results.sarif + sarif_file: stackhawk.sarif # Optional category for the results # Used to differentiate multiple results for one commit category: StackHawk \ No newline at end of file diff --git a/integration_tests/example.sarif b/integration_tests/example.sarif deleted file mode 100644 index f5321f32..00000000 --- a/integration_tests/example.sarif +++ /dev/null @@ -1,173 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://json.schemastore.org/sarif-2.1.0", - "runs": [{ - "tool": { - "driver": { - "version": "3.9.3", - "name": "StackHawk", - "informationUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4", - "properties": { - "scanId": "83e89958-cc21-4bba-b2b4-64b143bce6f4" - }, - "rules": [{ - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }], - "fullName": "HawkScan 3.9.3" - } - }, - "results": [{ - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3" - } - }], - "automationDetails": { - "id": "HawkScan 83e89958-cc21-4bba-b2b4-64b143bce6f4", - "description": { - "text": "This is a Scan 83e89958-cc21-4bba-b2b4-64b143bce6f4 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" - } - } - }] -} \ No newline at end of file diff --git a/stackhawk.sarif b/stackhawk.sarif deleted file mode 100644 index f5321f32..00000000 --- a/stackhawk.sarif +++ /dev/null @@ -1,173 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://json.schemastore.org/sarif-2.1.0", - "runs": [{ - "tool": { - "driver": { - "version": "3.9.3", - "name": "StackHawk", - "informationUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4", - "properties": { - "scanId": "83e89958-cc21-4bba-b2b4-64b143bce6f4" - }, - "rules": [{ - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", - "name": "SQLInjectionPostgreSQL", - "helpUri": "https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/83e89958-cc21-4bba-b2b4-64b143bce6f4/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }], - "fullName": "HawkScan 3.9.3" - } - }, - "results": [{ - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-0" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-1" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-2" - } - }, { - "ruleId": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "83e89958-cc21-4bba-b2b4-64b143bce6f4-40018-3" - } - }], - "automationDetails": { - "id": "HawkScan 83e89958-cc21-4bba-b2b4-64b143bce6f4", - "description": { - "text": "This is a Scan 83e89958-cc21-4bba-b2b4-64b143bce6f4 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" - } - } - }] -} \ No newline at end of file From 9364ffbe2bbf07491bfb2254acbcb964104e62c5 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 18:38:39 -0600 Subject: [PATCH 29/35] more cleanup --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/hawkscan-scan.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7573719e..b36bd538 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,8 +14,8 @@ name: "CodeQL" on: push: branches: [ "main" ] -# pull_request: -# branches: [ "main" ] + pull_request: + branches: [ "main" ] schedule: - cron: '39 10 * * 2' diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index c0a54287..7a7863fb 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -3,9 +3,9 @@ on: pull_request: branches: - main - push: - branches: - - feature/codql +# push: +# branches: +# - feature/codql jobs: javaspringvulny-test: From 36557c1c89462fa6df54834869c8879875f08a2d Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 18:45:12 -0600 Subject: [PATCH 30/35] cleanup --- .github/workflows/codeql.yml | 2 -- .github/workflows/hawkscan-action.yml | 23 +++++++++++++++++++++++ .github/workflows/hawkscan-scan.yml | 6 +++--- 3 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/hawkscan-action.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b36bd538..a4c75c66 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,8 +16,6 @@ on: branches: [ "main" ] pull_request: branches: [ "main" ] - schedule: - - cron: '39 10 * * 2' jobs: analyze: diff --git a/.github/workflows/hawkscan-action.yml b/.github/workflows/hawkscan-action.yml new file mode 100644 index 00000000..4ff275c3 --- /dev/null +++ b/.github/workflows/hawkscan-action.yml @@ -0,0 +1,23 @@ +name: "action-tests" +on: + pull_request: + +jobs: + javaspringvulny-test: + name: Java Spring Vulny Test + runs-on: ubuntu-latest + steps: + - name: Checkout javaspringvulny repository + uses: actions/checkout@v3 + - name: Run javaspringvulny + run: docker-compose up -d + - name: Run Hawkscan + uses: stackhawk/hawkscan-action@v2.1.3 + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml + sarif_file: stackhawk.sarif + env: + APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 + ENV: action-scan + SARIF_ARTIFACT: true \ No newline at end of file diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 7a7863fb..8799df0e 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -3,9 +3,9 @@ on: pull_request: branches: - main -# push: -# branches: -# - feature/codql + push: + branches: + - main jobs: javaspringvulny-test: From 91d3a54a2540f73e6e36a89cbe011ce00543ebbf Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 19:01:44 -0600 Subject: [PATCH 31/35] things --- .github/workflows/hawkscan-scan.yml | 8 ++ stackhawk_test.sarif | 173 ++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 stackhawk_test.sarif diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 8799df0e..893df9b8 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -27,6 +27,14 @@ jobs: SARIF_ARTIFACT: true COMMIT_SHA: ${{ github.event.pull_request.head.sha }} BRANCH_NAME: ${{ github.head_ref }} + - name: Upload SARIF 2 + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: stackhawk_test.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: StackHawk - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: diff --git a/stackhawk_test.sarif b/stackhawk_test.sarif new file mode 100644 index 00000000..a0be1af1 --- /dev/null +++ b/stackhawk_test.sarif @@ -0,0 +1,173 @@ +{ + "version": "2.1.0", + "$schema": "https://json.schemastore.org/sarif-2.1.0", + "runs": [{ + "tool": { + "driver": { + "version": "3.9.3", + "name": "StackHawk", + "informationUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062", + "properties": { + "scanId": "90843c76-1edd-4767-abc1-6ecee5f6d062" + }, + "rules": [{ + "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-0", + "name": "SqlInjectionPostgreSql", + "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/items/search`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-1", + "name": "SqlInjectionPostgreSql", + "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-2", + "name": "SqlInjectionPostgreSql", + "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }, { + "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-3", + "name": "SqlInjectionPostgreSql", + "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "help": { + "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", + "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" + }, + "properties": { + "tags": ["CWE-89", "WASC-19"], + "security-severity": "8.0" + }, + "shortDescription": { + "text": "SQL Injection - PostgreSQL" + }, + "fullDescription": { + "text": "SQL Injection - PostgreSQL" + } + }], + "fullName": "HawkScan 3.9.3" + } + }, + "results": [{ + "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-0", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-0" + } + }, { + "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-1", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-1" + } + }, { + "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-2", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-2" + } + }, { + "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-3", + "message": { + "text": "SQL Injection - PostgreSQL", + "markdown": "SQL Injection - PostgreSQL" + }, + "locations": [{ + "physicalLocation": { + "artifactLocation": { + "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" + }, + "region": { + "startLine": 1 + } + } + }], + "partialFingerprints": { + "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-3" + } + }], + "automationDetails": { + "id": "HawkScan 90843c76-1edd-4767-abc1-6ecee5f6d062", + "description": { + "text": "This is a Scan 90843c76-1edd-4767-abc1-6ecee5f6d062 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" + } + } + }] +} \ No newline at end of file From 5756791dcf68232a315bba8498ed6d029ff00cb4 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 19:23:22 -0600 Subject: [PATCH 32/35] Removing sarif --- stackhawk_test.sarif | 173 ------------------------------------------- 1 file changed, 173 deletions(-) delete mode 100644 stackhawk_test.sarif diff --git a/stackhawk_test.sarif b/stackhawk_test.sarif deleted file mode 100644 index a0be1af1..00000000 --- a/stackhawk_test.sarif +++ /dev/null @@ -1,173 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://json.schemastore.org/sarif-2.1.0", - "runs": [{ - "tool": { - "driver": { - "version": "3.9.3", - "name": "StackHawk", - "informationUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062", - "properties": { - "scanId": "90843c76-1edd-4767-abc1-6ecee5f6d062" - }, - "rules": [{ - "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-0", - "name": "SqlInjectionPostgreSql", - "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/items/search`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-1", - "name": "SqlInjectionPostgreSql", - "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/users/search/bad/%27 can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/users/search/bad/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-2", - "name": "SqlInjectionPostgreSql", - "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }, { - "id": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-3", - "name": "SqlInjectionPostgreSql", - "helpUri": "https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "help": { - "text": "Details for SQL Injection - PostgreSQL at https://localhost:9000/api/jwt/items/search/%27 can be found here: https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018", - "markdown": "Details for [SQL Injection - PostgreSQL](https://app.test.stackhawk.com/scans/90843c76-1edd-4767-abc1-6ecee5f6d062/finding/40018) at `https://localhost:9000/api/jwt/items/search/%27`" - }, - "properties": { - "tags": ["CWE-89", "WASC-19"], - "security-severity": "8.0" - }, - "shortDescription": { - "text": "SQL Injection - PostgreSQL" - }, - "fullDescription": { - "text": "SQL Injection - PostgreSQL" - } - }], - "fullName": "HawkScan 3.9.3" - } - }, - "results": [{ - "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-0", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-0" - } - }, { - "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-1", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/users/search/bad/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-1" - } - }, { - "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-2", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-2" - } - }, { - "ruleId": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-3", - "message": { - "text": "SQL Injection - PostgreSQL", - "markdown": "SQL Injection - PostgreSQL" - }, - "locations": [{ - "physicalLocation": { - "artifactLocation": { - "uri": "hawkscan/https://localhost:9000/api/jwt/items/search/%27" - }, - "region": { - "startLine": 1 - } - } - }], - "partialFingerprints": { - "3.9.3": "90843c76-1edd-4767-abc1-6ecee5f6d062-40018-3" - } - }], - "automationDetails": { - "id": "HawkScan 90843c76-1edd-4767-abc1-6ecee5f6d062", - "description": { - "text": "This is a Scan 90843c76-1edd-4767-abc1-6ecee5f6d062 of Application: 5ab4e12e-eade-416f-87f8-ec1ca3120fa7" - } - } - }] -} \ No newline at end of file From 18aa7aa6af20e7db0f7e09f626f22fae75b002c7 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 19:25:37 -0600 Subject: [PATCH 33/35] Full scan --- stackhawk.d/stackhawk-jsv-json-token.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index f7ab80e0..2da305af 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -2,9 +2,6 @@ hawk: spider: maxDurationMinutes: 2 base: false - scan: - includedPlugins: - - 40018 app: openApiConf: path: /openapi From ca0efc348cc796480449a569dd6235ef7d57c753 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 19:29:37 -0600 Subject: [PATCH 34/35] Remove stray workflow --- .github/workflows/hawkscan-action.yml | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 .github/workflows/hawkscan-action.yml diff --git a/.github/workflows/hawkscan-action.yml b/.github/workflows/hawkscan-action.yml deleted file mode 100644 index 4ff275c3..00000000 --- a/.github/workflows/hawkscan-action.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "action-tests" -on: - pull_request: - -jobs: - javaspringvulny-test: - name: Java Spring Vulny Test - runs-on: ubuntu-latest - steps: - - name: Checkout javaspringvulny repository - uses: actions/checkout@v3 - - name: Run javaspringvulny - run: docker-compose up -d - - name: Run Hawkscan - uses: stackhawk/hawkscan-action@v2.1.3 - with: - apiKey: ${{ secrets.HAWK_API_KEY }} - configurationFiles: stackhawk.d/stackhawk.yml stackhawk.d/stackhawk-jsv-json-token.yml - sarif_file: stackhawk.sarif - env: - APP_ID: fe3b8948-0edb-4fa4-a3b7-6fa200461f78 - ENV: action-scan - SARIF_ARTIFACT: true \ No newline at end of file From 69c96f07437a81dd93245b1bab2a87168586d8e0 Mon Sep 17 00:00:00 2001 From: Dana White Date: Sun, 19 May 2024 19:39:24 -0600 Subject: [PATCH 35/35] more things --- .github/workflows/hawkscan-scan.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/hawkscan-scan.yml b/.github/workflows/hawkscan-scan.yml index 893df9b8..c67c3ce8 100644 --- a/.github/workflows/hawkscan-scan.yml +++ b/.github/workflows/hawkscan-scan.yml @@ -27,14 +27,14 @@ jobs: SARIF_ARTIFACT: true COMMIT_SHA: ${{ github.event.pull_request.head.sha }} BRANCH_NAME: ${{ github.head_ref }} - - name: Upload SARIF 2 - uses: github/codeql-action/upload-sarif@v3 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: stackhawk_test.sarif - # Optional category for the results - # Used to differentiate multiple results for one commit - category: StackHawk +# - name: Upload SARIF 2 +# uses: github/codeql-action/upload-sarif@v3 +# with: +# # Path to SARIF file relative to the root of the repository +# sarif_file: stackhawk_test.sarif +# # Optional category for the results +# # Used to differentiate multiple results for one commit +# category: StackHawk - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: